The telehealth company Hims & Hers Health, more commonly known as Hims, suffered a data breach via its third-party customer support platform. Due to the ultra-sensitive nature of some Hims products, customers could be at risk of some seriously embarrassing fallout.
Have you called a customer support line any time since the COVID-19 pandemic ended and heard an automated voice message say, “We’re experiencing a higher than normal call volume…” regardless of the day and time of your call? While organizations gradually have been replacing human customer service workers with bots and calling it “revolutionary,” they’ve been taking an equally penny-pinching approach to securing their customer service stacks online.
Cybercriminals have been targeting such platforms in recent years, and in the case of Hims, a threat actor gained access to customer support tickets that contained a potentially large amount of customers’ uttermost sensitive personal health information (PHI). The infamous ShinyHunters group claimed responsibility for the attack, according to a BleepingComputer report last week, but those claims could not be verified.
“This isn’t just a data breach — it’s a breakdown in the customer relationship,” says Baker Johnson, chief business officer at UJET. “When someone reaches out for support, especially in healthcare, that’s a moment of trust. They reached out for help and instead had their trust compromised. That changes how they engage — and once that hesitation sets in, loyalty is already at risk.”
What Happened to Hims Customer Data?
In a visibly self-refuting breach disclosure with the Vermont Attorney General’s Office, Hims reported having first become aware of suspicious activity targeting its customer service platform on Feb. 5. The company said it “promptly took steps to secure” the affected service, but those steps didn’t have such a prompt impact, as hackers maintained access from Feb. 4 to Feb. 7. In that time, “certain tickets” from customers seeking product support were nabbed by unauthorized actors.
It took a month for the company to determine that those support tickets contained names and unspecified medical information belonging to “a limited set” of affected customers. (A company representative told Dark Reading’s sister publication, Cybersecurity Dive, that email addresses were also impacted.) Another month later, the company began informing those affected customers. Hims did not say which third-party support platform it uses.
Dark Reading reached out to Hims, but didn’t get a response by the time of publication.
For Johnson, Hims is just the latest example of an industry-agnostic trend. “This is a design problem. Customer service is now one of the richest sources of personal data in the business, but it’s still managed across a patchwork of disconnected systems; recordings here, transcripts there, workflows somewhere else. That fragmentation is what creates risk,” he says.
Is Embarrassing PHI at Risk?
As the old story goes, Hims is now offering impacted customers a year of free credit monitoring, and a few paragraphs worth of guidance about identity protection.
The threat of identity theft, however, is hardly the only issue Hims customers now face. Between lascivious billboards and incessant podcast advertising, Hims has built its brand around the kinds of medical issues that people fear talking about the most: erectile dysfunction, balding, obesity, and mental health.
Not only does it specialize in the extra sensitive, but the company markets largely to younger demographics — men and women at times in their lives when these issues carry extra stigma. With that in mind, if attackers obtained anything beyond basic personally identifying information (PII) from Hims — and even with that alone, potentially — it could empower them to blackmail individuals to a level beyond what leaks of general PHI typically allow.
Dark Reading could not find evidence that ShinyHunters or any cybercriminal group has leaked the Hims data yet, though the extortion group has a history of leaking stolen data when its victims don’t pay up.
For organizations that manage lots of third-party software platforms, “The path forward is designing experiences where data doesn’t sit scattered across systems in the first place, but where it moves securely, stays within trusted environments, and only exists as long as it’s needed,” UJET’s Johnson says. “Because in the end, security isn’t a feature of the experience. It’s what makes the experience trustworthy.”
