Hims & Hers, a prominent telehealth platform known for offering weight-loss medications and sexual health prescriptions, has disclosed a data breach involving its external customer service system.
In a recent notification to the California attorney general, the company revealed that hackers accessed its third-party ticketing system between February 4 and February 7, compromising numerous support tickets that contained personal information submitted by customers.
The breach notice detailed that the hackers obtained customer names, contact details, and other personal data that Hims & Hers chose to redact. Importantly, the company has assured that customer medical records remain secure and were not impacted during this incident. However, the nature of customer support systems means that sensitive information related to accounts and healthcare could still be at risk.
While the exact number of affected individuals is still unknown, California law mandates that companies report breaches involving 500 or more residents. Jake Martin, a spokesperson for Hims & Hers, indicated that the breach was a result of a social engineering attack, where hackers deceived employees into granting system access. He noted that the stolen data primarily comprised customer names and email addresses, but specifics on the data types taken were not disclosed.
Furthermore, the company has not confirmed whether any communication from the hackers, such as ransom demands, has been received.
In recent times, customer support and ticketing systems have emerged as prime targets for cybercriminals seeking financial gain, often leading to extortion attempts against companies. This trend underscores the increasing vulnerabilities within such systems. For instance, a prior incident involving Discord resulted in a data breach that affected around 70,000 users, exposing sensitive identification documents.
As telehealth services continue to grow, the importance of robust cybersecurity measures becomes increasingly evident. This incident serves as a reminder of the need for vigilance in protecting personal information within digital health platforms.