Hims & Hers, the San Francisco-based telehealth company with nearly $1 billion in annual revenue, has confirmed a data breach affecting its third-party customer service platform. The company disclosed the incident to the California Attorney General on April 2 and filed an SEC Form 8-K the same day.
Attackers accessed the company’s Zendesk customer support environment between February 4 and February 7 after compromising its Okta SSO account, which provided access to the platform. Millions of support tickets were stolen. Hims & Hers confirmed the breach was the result of a social engineering attack in which hackers tricked employees into granting system access. The company first detected suspicious activity on February 5 and completed its review of affected tickets on March 3.
What Was Exposed
Exposed data includes customer names, email addresses, phone numbers, physical addresses, and for customers who contacted support between mid-February 2025 and February 2026, treatment category information and other details from their support communications. Hims & Hers confirmed that core medical records and direct communications between customers and healthcare providers were not affected.
The nature of the exposed data carries particular weight for a telehealth company whose services span weight loss, sexual health, hair loss, and mental health treatments. Support tickets at a company like this routinely contain sensitive health disclosures that customers share expecting confidentiality. The acknowledgment that treatment category information may have been exposed makes this more than a standard contact data breach.
A Recurring Attack Pattern
The Hims & Hers breach follows a pattern of attacks targeting organizations through compromised Okta SSO credentials to gain access to Zendesk and other cloud platforms. Two recent high-profile breaches using the same method hit DIY retailer ManoMano in February and Crunchyroll in March, both involving Zendesk. The pattern points to a systematic exploitation of SSO infrastructure as an entry point into third-party SaaS environments that sit outside an organization’s core security perimeter.
Hims & Hers has not confirmed whether it received a ransom demand or named the threat actor responsible. The company is offering 12 months of complimentary credit monitoring through Cyberscout to affected individuals. The total number of customers impacted has not been disclosed.
