Hims & Hers Health, Inc. confirmed that a social‑engineering attack compromised its third‑party customer support platform between February 4 and February 7, 2026. Hackers accessed support tickets that contained customer names, email addresses and other personal data, but no medical records were accessed.
The company discovered suspicious activity on February 5 and filed a notice with the California Attorney General’s office on April 2, 2026. Under California’s data‑breach notification laws, the company must notify residents whose unencrypted personal information was exposed and provide a sample breach notice to the Attorney General if more than 500 residents are affected. The new law effective January 1, 2026 requires notification within 30 days of discovery and a separate filing to the Attorney General within 15 days of consumer notification.
Hims & Hers has not disclosed the number of affected individuals, and the company has not identified the specific types of other personal data beyond names and email addresses. No ransom demands have been reported. The breach could trigger investigations under HIPAA’s Breach Notification Rule and may lead to class‑action litigation, exposing the company to regulatory penalties and reputational damage.
Financially, the company reported Q4 2025 revenue of $617.8 million, up 28% year‑over‑year, with a gross margin of 72% and net income of $20.6 million. For the full year 2025, revenue was $2.35 billion, up 59% year‑over‑year, and net income was $128.4 million. Management has guided 2026 revenue to $2.7 billion to $2.9 billion and Adjusted EBITDA to $300 million to $375 million. The breach may affect investor confidence and could influence future pricing, customer acquisition, and regulatory compliance costs, potentially impacting the company’s growth trajectory.
The company has stated it is cooperating with authorities, reviewing its security protocols, and has not announced any credit‑monitoring offers. It remains focused on its strategic initiatives, including the launch of Novo Nordisk’s GLP‑1 medications and the acquisition of Eucalyptus, while addressing third‑party vendor risks.
The incident underscores the vulnerability of telehealth companies to third‑party platform attacks and highlights the importance of robust security practices. While the breach has not yet resulted in a financial loss or regulatory fine, the potential for litigation and loss of customer trust could have long‑term implications for Hims & Hers’ market position and investor perception.
The content on EveryTicker is for informational purposes only and should not be construed as financial or investment advice. We are not financial advisors. Consult with a qualified professional before making any investment decisions. Any actions you take based on information from this site are solely at your own risk.