Hims & Hers, a telemedicine company that sells weight loss pills and sexual health prescriptions, has confirmed a data breach affecting its third-party customer service platform.
The healthcare company said in a data breach notification filed Thursday with the California Attorney General's Office that hackers stole data about user requests submitted to the company's customer support team. The company said hackers infiltrated its third-party ticketing system between February 4 and February 7 and stole a large number of support tickets containing personal information submitted by customers.
The data breach notification states that the hackers stole customers' names and contact information, as well as other unspecified personal data that Hims & Hers redacted and left in the letter.
The company says its customers' medical records were not affected by the breach, but due to the nature of its customer support systems, the data can include personal accounts, personal information, and sensitive medical information.
It is not yet known how many people had their personal information compromised in this hack. California law requires companies to disclose data breaches involving 500 or more state residents.
Jake Martin, a spokesperson for Hims & Hers, told TechCrunch in a statement that the company suffered a social engineering attack in which hackers tricked employees into allowing access to its systems. A spokesperson said the stolen data “primarily included customer names and email addresses.” In response to TechCrunch's questions, the company did not specify exactly what kind of data was collected.
The company did not say whether it had received any requests for money from the hackers.
In recent months, customer support and ticketing systems have become easy targets for financially motivated hackers, who raid databases containing customer information and force companies to pay ransoms.
Last year, Discord suffered a data breach that affected its customer support ticketing system, exposing the government-issued IDs of approximately 70,000 people who submitted driver's licenses and passports to the company for age verification.