Him & Hers disclosed a data breach involving unauthorized access to customer support tickets that contain personal information between February 4, 2026, and February 7, 2026.
Incident Overview
On February 5, 2026, Him & Hers, a direct-to-consumer telehealth company with approximately 2.5 million subscribers, identified suspicious activity within its third-party customer service platform. The company determined that an unauthorized third party accessed the platform and obtained certain customer support tickets from February 4, 2026, to February 7, 2026. The unauthorized access was achieved through a sophisticated social engineering attack. Additional technical details regarding the attack method were not mentioned.
Scope of Information Accessed
The company reviewed the affected support tickets and confirmed on March 3, 2026, that they contained personal information. The exposed data included names and contact information. The company reported that the attackers did not access customers’ medical records or the communications between customers and healthcare providers on the platform.
The number of individuals affected has not been publicly disclosed. The data breach only affected the data contained within the affected support tickets.
Response and Mitigation Actions
Him & Hers implemented safety measures to protect the affected platform upon discovery of the incident. Law enforcement authorities were notified. Notification letters are being mailed to affected individuals.
The company is offering 12 months of complimentary single-bureau credit monitoring and identity theft protection services to individuals whose information was involved. The organization conducted a review of its privacy and security policies and procedures and is taking steps to prevent similar incidents.
The incident has been reported to regulators, including the California Attorney General.
Threat Actor Information
Him & Hers made no announcement concerning the threat group responsible for the cyberattack. A separate report indicated that the ShinyHunters threat group was responsible and that the activity was part of a campaign focusing on several companies.
The reported method involved compromising Okta single sign-on accounts to gain access to data storage environments and extract data for extortion purposes. In this instance, the group reportedly accessed a Zendesk instance associated with Him & Hers and obtained a large volume of support tickets. There was no confirmation of these details by Him & Hers.
Regulatory Considerations
The incident involves unauthorized access to personal information, including names and contact information, stored in a customer service platform. It was not confirmed whether protected health information (PHI) as defined under the HIPAA Privacy Rule was involved. However, to avoid similar data breach incidents, HIPAA training is required to ensure protection of sensitive information handled by the company.
