Telehealth company Hims & Hers says its customer support system has been hacked

Hims & Hers, a telehealth company that sells weight-loss medications and sexual health prescriptions, has confirmed a data breach affecting its customer service platform.

The healthcare company said in a data breach notice filed with the California Attorney General’s Office on Thursday that hackers stole data about user requests sent to the company’s customer support team. The company said hackers broke into its third-party ticketing system between February 4 and 7 and stole large batches of support tickets, which contained personal information provided by customers.

The data breach notice said the hackers took customer names and contact information, as well as other unspecified personal data that Hims & Hers left redacted in the message.

Although the company says customers’ medical records were not affected by the breach, the nature of its customer support systems means the data may contain sensitive information about a person’s account, personal and healthcare information.

It is not yet known how many individuals had their personal information compromised in the hack. Under California law, companies must disclose data breaches involving 500 or more state residents.

Jake Martin, a spokesman for Hims & Hers, told TechCrunch in a statement that the company was subjected to a social engineering attack, in which hackers trick employees into giving them access to their systems. The stolen data “primarily included customer names and email addresses,” the spokesperson said. The company did not say what specific types of data were taken, when asked by TechCrunch.

The company did not say whether it received any communications from the hackers, such as requests for money.

In recent months, customer support and ticketing systems have become rich targets for financially motivated hackers, who have raided databases containing customer information and blackmailed companies into paying ransoms.

Last year, Discord suffered a data breach that affected its customer support ticketing system and exposed the government-issued IDs of about 70,000 people who submitted their driver’s licenses and passports to the company to verify their ages.