high

Hims & Hers warns of data breach after Zendesk support ticket breach

April 6, 2026·BleepingComputer·Threat Intel
data-breachthird-party-riskhealthcarezendesksupply-chain

Telehealth Giant Hims & Hers Suffers Data Breach Through Compromised Zendesk Support System

TL;DR: Hims & Hers Health disclosed a data breach involving customer support tickets stolen from their Zendesk platform, highlighting the persistent risks of third-party service dependencies. The incident exposes sensitive customer information and underscores the need for robust vendor security oversight in healthcare organizations.

What Happened

According to BleepingComputer's reporting, telehealth company Hims & Hers Health has notified customers of a data breach involving their customer support system. The breach occurred when attackers gained unauthorized access to support tickets stored on Zendesk, a popular third-party customer service platform used by the company.

Hims & Hers, which provides online consultations and prescription services for conditions ranging from hair loss to sexual health, discovered the incident and began investigating the scope of compromised data. The company has started notifying affected customers about the breach.

Technical Analysis

This incident represents a classic third-party supply chain attack, where threat actors targeted a service provider to gain access to multiple downstream organizations' data. Zendesk support tickets typically contain:


The attack vector appears to have been through Zendesk's infrastructure rather than Hims & Hers' direct systems. This type of breach is particularly concerning because organizations often have limited visibility into their third-party vendors' security postures, creating blind spots in their overall security architecture.

Impact & Who's Affected

The breach affects Hims & Hers customers who interacted with the company's customer support system through the compromised Zendesk instance. Given the sensitive nature of telehealth services, the exposed data could include:


For a telehealth company, this type of breach carries additional regulatory implications under HIPAA (Health Insurance Portability and Accountability Act), which requires strict protection of patient health information.

What You Should Do

If you're a Hims & Hers customer:


For security teams:

The Bigger Picture

This incident highlights the ongoing challenge of third-party risk management in an interconnected digital ecosystem. Healthcare organizations face particular scrutiny due to the sensitive nature of patient data and strict regulatory requirements.

The trend of targeting service providers to access multiple downstream victims continues to be an attractive attack vector for cybercriminals. Organizations like Zendesk, which serve thousands of clients, represent high-value targets that can yield data from numerous companies simultaneously.

For healthcare and telehealth companies, this breach serves as a reminder that HIPAA compliance extends beyond their own systems to include business associates and their security practices. Regular security assessments of critical vendors and contractual security requirements are essential components of a comprehensive cybersecurity strategy.

The incident also underscores the importance of having robust breach response procedures that can quickly identify the scope of compromised data and efficiently notify affected individuals, as required by various privacy regulations.

← All Threat IntelSource: BleepingComputer