Hims & Hers warns of data breach after Zendesk support ticket breach
Telehealth Giant Hims & Hers Suffers Data Breach Through Compromised Zendesk Support System
TL;DR: Hims & Hers Health disclosed a data breach involving customer support tickets stolen from their Zendesk platform, highlighting the persistent risks of third-party service dependencies. The incident exposes sensitive customer information and underscores the need for robust vendor security oversight in healthcare organizations.
What Happened
According to BleepingComputer's reporting, telehealth company Hims & Hers Health has notified customers of a data breach involving their customer support system. The breach occurred when attackers gained unauthorized access to support tickets stored on Zendesk, a popular third-party customer service platform used by the company.
Hims & Hers, which provides online consultations and prescription services for conditions ranging from hair loss to sexual health, discovered the incident and began investigating the scope of compromised data. The company has started notifying affected customers about the breach.
Technical Analysis
This incident represents a classic third-party supply chain attack, where threat actors targeted a service provider to gain access to multiple downstream organizations' data. Zendesk support tickets typically contain:
- Customer names and contact information
- Service inquiries and complaints
- Account details and order information
- Potentially sensitive health-related discussions
The attack vector appears to have been through Zendesk's infrastructure rather than Hims & Hers' direct systems. This type of breach is particularly concerning because organizations often have limited visibility into their third-party vendors' security postures, creating blind spots in their overall security architecture.
Impact & Who's Affected
The breach affects Hims & Hers customers who interacted with the company's customer support system through the compromised Zendesk instance. Given the sensitive nature of telehealth services, the exposed data could include:
- Personal health information (PHI)
- Prescription details
- Payment information
- Personal identifiers
For a telehealth company, this type of breach carries additional regulatory implications under HIPAA (Health Insurance Portability and Accountability Act), which requires strict protection of patient health information.
What You Should Do
If you're a Hims & Hers customer:
- Monitor your accounts for unusual activity
- Watch for phishing attempts using your exposed information
- Consider changing passwords for your Hims & Hers account
- Review credit reports for unauthorized medical charges
For security teams:
- Audit your third-party vendor relationships, especially customer support platforms
- Implement data loss prevention (DLP) controls for support ticket systems
- Require vendors to provide security attestations and regular vulnerability assessments
- Consider data minimization practices for support interactions
- Establish incident response protocols that include vendor-related breaches
The Bigger Picture
This incident highlights the ongoing challenge of third-party risk management in an interconnected digital ecosystem. Healthcare organizations face particular scrutiny due to the sensitive nature of patient data and strict regulatory requirements.
The trend of targeting service providers to access multiple downstream victims continues to be an attractive attack vector for cybercriminals. Organizations like Zendesk, which serve thousands of clients, represent high-value targets that can yield data from numerous companies simultaneously.
For healthcare and telehealth companies, this breach serves as a reminder that HIPAA compliance extends beyond their own systems to include business associates and their security practices. Regular security assessments of critical vendors and contractual security requirements are essential components of a comprehensive cybersecurity strategy.
The incident also underscores the importance of having robust breach response procedures that can quickly identify the scope of compromised data and efficiently notify affected individuals, as required by various privacy regulations.