Hims & Hers, a telemedicine company that sells weight loss medications and sexual health prescriptions, has identified a data breach affecting its third-party customer service platform.
In a data breach notification filed Thursday with the California Attorney General’s Office, the healthcare company said hackers stole data about user requests sent to the company’s customer support team. The company said hackers broke into its third-party ticketing system between February 4 and February 7 and stole support tickets containing personal information submitted by customers.
The data breach notice says hackers took customer names and contact information, as well as other unspecified personal data that Hims & Hers redacted in the letter.
The company says customers’ medical records were not affected by the breach, but the nature of its customer support system means the data may include sensitive information about personal accounts, personal information and healthcare.
It is not yet known how much personal information was leaked due to the hacking. California law requires companies to disclose data breaches involving more than 500 state residents.
Jake Martin, a spokesperson for Hims & Hers, told TechCrunch in a statement that the company was hit by a social engineering attack in which hackers tricked employees into giving them access to their systems. A spokesperson said the stolen data “primarily included customer names and email addresses.” In response to questions from TechCrunch, the company did not disclose what specific types of data it collected.
The company did not disclose what kind of contact it received from the hacker, including requests for money.
In recent months, customer support and ticketing systems have become prime targets for financially motivated hackers who raid databases containing customer information and extort companies into paying ransoms.
Last year, Discord suffered a data breach affecting its customer support ticketing system, exposing the government-issued IDs of approximately 70,000 people who had submitted their driver’s licenses and passports to the company for age verification.
