Hims & Hers Hit by Sophisticated Social Engineering Attack in February
Hims & Hers, a San Francisco-based telehealth provider with 2.5 million subscribers, disclosed a social engineering attack that compromised its third-party customer service platform in early February. According to regulatory filings, an unknown attacker gained unauthorized access to service tickets between February 4 and 7, with suspicious activity detected on February 5.
The company confirmed that the breach was limited to its customer service software, with exposed data primarily including customer names and email addresses. While electronic medical records and provider communications remained secure, the attackers may have accessed treatment information for certain customers who engaged with customer service between February 2025 and February 2026.
The attack targeted two employees, as outlined in the company’s February 22 SEC filing (10-K). Hims & Hers reported no material financial impact from the incident but has notified law enforcement and is reviewing internal policies to prevent future breaches. The company recently expanded its services through a partnership with Novo Nordisk to offer FDA-approved weight-loss medications.
Source: https://www.cybersecuritydive.com/news/hims-hers-data-stolen-social-engineering/816707/
hims & hers cybersecurity rating report: https://www.rankiteo.com/company/hims-&-hers
"id": "HIM1775492890",
"linkid": "hims-&-hers",
"type": "Breach",
"date": "2/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Customers who engaged with '
'customer service between '
'February 2025 and February 2026',
'industry': 'Healthcare',
'location': 'San Francisco, USA',
'name': 'Hims & Hers',
'size': '2.5 million subscribers',
'type': 'Telehealth Provider'}],
'attack_vector': 'Third-party customer service platform',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Moderate',
'type_of_data_compromised': ['Customer names',
'Email addresses',
'Treatment information']},
'date_detected': '2025-02-05',
'date_publicly_disclosed': '2025-02-22',
'description': 'Hims & Hers, a telehealth provider, disclosed a social '
'engineering attack that compromised its third-party customer '
'service platform. An unknown attacker gained unauthorized '
'access to service tickets between February 4 and 7, 2025, '
'with suspicious activity detected on February 5. Exposed data '
'included customer names and email addresses, and potentially '
'treatment information for certain customers.',
'impact': {'data_compromised': 'Customer names, email addresses, and '
'treatment information for certain customers',
'financial_loss': 'No material financial impact',
'systems_affected': 'Third-party customer service platform'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Reviewing internal policies '
'to prevent future breaches'},
'references': [{'source': 'SEC filing (10-K)'}],
'regulatory_compliance': {'regulatory_notifications': 'SEC filing (10-K)'},
'response': {'law_enforcement_notified': 'Yes',
'remediation_measures': 'Reviewing internal policies to prevent '
'future breaches'},
'threat_actor': 'Unknown',
'title': 'Hims & Hers Social Engineering Attack',
'type': 'Social Engineering'}