Hims & Hers, the telehealth company that sells weight loss drugs and sexual health prescriptions, has confirmed a data breach affecting its third-party customer service platform.
The health care company told a data breach notification filed with the California attorney general’s office Thursday that hackers stole data about user requests sent to the company’s customer support team. The company said hackers broke into its third-party ticketing system between February 4 and 7 and stole bundles of support tickets, which contained personal information submitted by customers.
The data breach notice said the hackers took customer names and contact information, as well as other unspecified personal data that Hims & Hers left out in the letter.
Although the company says customer medical records were not affected by the breach, the nature of its customer support systems means the data may contain sensitive information about a person’s account, personal information and healthcare.
It is not yet known how many people had their personal information compromised during the hack. Under California law, companies are required to disclose data breaches involving 500 or more state residents.
Jake Martin, a spokesman for Hims & Hers, told TechCrunch in a statement that the company was hit by a social engineering attack, in which hackers trick employees into granting access to their systems. The spokesman said the stolen data “mainly included customer names and email addresses”. The company did not say what specific types of data were obtained when asked by TechCrunch.
The company won’t say whether it has received any communication from the hackers, such as a demand for money.
In recent months, customer support and ticketing systems have become rich targets for financially motivated hackers, who have broken into databases containing customer information and blackmailed companies into paying ransoms.
Last year, Discord had a data breach that affected its customer support ticketing system and exposed the government-issued IDs of about 70,000 people who had submitted their driver’s licenses and passports to the company for age verification.
