Hims Breach Exposes the Most Sensitive Kinds of PHI

CYBERATTACKS & DATA BREACHES CYBER RISK DATA PRIVACY СLOUD SECURITY NEWS Hims Breach Exposes the Most Sensitive Kinds of PHI Threat actors breached the telehealth brand, and now they may know who's bald, overweight, and impotent. What could they do with that information? Nate Nelson,Contributing Writer April 10, 2026 4 Min Read SOURCE: ZUMA PRESS, INC. VIA ALAMY STOCK PHOTO The telehealth company Hims & Hers Health, more commonly known as Hims, suffered a data breach via its third-party customer support platform. Due to the ultra-sensitive nature of some Hims products, customers could be at risk of some seriously embarrassing fallout. Have you called a customer support line any time since the COVID-19 pandemic ended and heard an automated voice message say, "We're experiencing a higher than normal call volume…" regardless of the day and time of your call? While organizations gradually have been replacing human customer service workers with bots and calling it "revolutionary," they've been taking an equally penny-pinching approach to securing their customer service stacks online. Cybercriminals have been targeting such platforms in recent years, and in the case of Hims, a threat actor gained access to customer support tickets that contained a potentially large amount of customers' uttermost sensitive personal health information (PHI). The infamous ShinyHunters group claimed responsibility for the attack, according to a BleepingComputer report last week, but those claims could not be verified. Related:Fraud Rockets Higher in Mobile-First Latin America "This isn't just a data breach — it’s a breakdown in the customer relationship," says Baker Johnson, chief business officer at UJET. "When someone reaches out for support, especially in healthcare, that’s a moment of trust. They reached out for help and instead had their trust compromised. That changes how they engage — and once that hesitation sets in, loyalty is already at risk." What Happened to Hims Customer Data? In a visibly self-refuting breach disclosure with the Vermont Attorney General's Office, Hims reported having first become aware of suspicious activity targeting its customer service platform on Feb. 5. The company said it "promptly took steps to secure" the affected service, but those steps didn't have such a prompt impact, as hackers maintained access from Feb. 4 to Feb. 7. In that time, "certain tickets" from customers seeking product support were nabbed by unauthorized actors. It took a month for the company to determine that those support tickets contained names and unspecified medical information belonging to "a limited set" of affected customers. (A company representative told Dark Reading's sister publication, Cybersecurity Dive, that email addresses were also impacted.) Another month later, the company began informing those affected customers. Hims did not say which third-party support platform it uses. Dark Reading reached out to Hims, but didn't get a response by the time of publication. Related:Automated Credential Harvesting Campaign Exploits React2Shell Flaw For Johnson, Hims is just the latest example of an industry-agnostic trend. "This is a design problem. Customer service is now one of the richest sources of personal data in the business, but it’s still managed across a patchwork of disconnected systems; recordings here, transcripts there, workflows somewhere else. That fragmentation is what creates risk," he says. Is Embarrassing PHI at Risk? As the old story goes, Hims is now offering impacted customers a year of free credit monitoring, and a few paragraphs worth of guidance about identity protection. The threat of identity theft, however, is hardly the only issue Hims customers now face. Between lascivious billboards and incessant podcast advertising, Hims has built its brand around the kinds of medical issues that people fear talking about the most: erectile dysfunction, balding, obesity, and mental health.  Not only does it specialize in the extra sensitive, but the company markets largely to younger demographics — men and women at times in their lives when these issues carry extra stigma. With that in mind, if attackers obtained anything beyond basic personally identifying information (PII) from Hims — and even with that alone, potentially — it could empower them to blackmail individuals to a level beyond what leaks of general PHI typically allow. Related:Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate Dark Reading could not find evidence that ShinyHunters or any cybercriminal group has leaked the Hims data yet, though the extortion group has a history of leaking stolen data when its victims don't pay up.  For organizations that manage lots of third-party software platforms, "The path forward is designing experiences where data doesn't sit scattered across systems in the first place, but where it moves securely, stays within trusted environments, and only exists as long as it's needed," UJET's Johnson says. "Because in the end, security isn't a feature of the experience. It's what makes the experience trustworthy." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World More Webinars You May Also Like CYBERATTACKS & DATA BREACHES CodeRED Emergency Alert Platform Shut Down Following Cyberattack by Rob Wright DEC 01, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Chinese APT Drops 'Brickstorm' Backdoors on Edge Devices by Jai Vijayan, Contributing Writer SEP 25, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE