Healthcare companies handle some of the most personal data imaginable. That makes them a magnet for hackers. And when those companies outsource their customer support to third-party platforms, every one of those platforms becomes another door someone can try to kick in.

Telehealth giant Hims & Hers just learned that the hard way. The company is notifying customers that hackers broke into its customer service platform and stole support ticket data.

What happened

Hims & Hers is one of America’s biggest direct-to-consumer telehealth brands, offering subscription-based treatments for hair loss, erectile dysfunction, mental health, skincare, and weight loss, with annual revenues approaching $1 billion.

On February 5, the company detected suspicious activity on its third-party customer service platform. An investigation found that between February 4 and February 7, attackers accessed or stole customer service tickets without authorization. The company didn’t confirm until March 3 that personal information was inside those tickets.

The exposed data may include names, contact information, and other details related to the support requests people filed. Hims & Hers says medical records and doctor communications were not compromised. That’s reassuring, to a point. But when the company in question handles treatments for sensitive conditions, even a list of names and contact details reveals details most people would rather keep private.

ShinyHunters strike again

Hims & Hers hasn’t named the attackers, but BleepingComputer reports that the ShinyHunters extortion gang was behind the breach. The data was stolen as part of a wider campaign in which the gang compromised single sign-on (SSO) accounts managed using software from SSO vendor Okta to break into cloud services and SaaS platforms.

ShinyHunters uses social engineering to impersonate IT support, call employees, and trick them into entering credentials and MFA codes on phishing pages. Once inside an SSO account, the attacker has the keys to every connected service. In the Hims & Hers case, that meant the Zendesk instance and millions of support tickets.

Hims & Hers is hardly alone. DIY retailer ManoMano disclosed in February that 38 million customers were affected by a breach of its own Zendesk-based customer service provider. Last month, the group stole approximately eight million support ticket records belonging to anime platform Crunchyroll from a Zendesk instance operated by its support provider TELUS Digital.

Customer support platforms have become the front door, and the attackers know it. Compromising a company’s support provider potentially gives attackers access to thousands of companies’ records.

Why (and how) to stay vigilant

Hims & Hers is offering 12 months of free credit monitoring, which is the standard post-breach response these days. However, credit monitoring won’t stop a phishing email that references your real support ticket about a real prescription.

We have already seen companies warning that criminals will use sensitive stolen data to build convincing scams and extortion attempts. Although we haven’t seen it yet, it’s entirely possible that someone with access to records about sensitive medication purchases could use those to embarrass victims.

It’s also possible that someone could combine stolen support data that contains information about health product purchases with a spoofed email. These possibilities are partly why any kind of medical data is so sought after. The FBI has already warned that criminals are posing as insurers and claims investigators to trick patients into handing over medical records and bank details.

If you’re a Hims & Hers customer, take the free credit monitoring. But also follow our guidance on avoiding scams and extortion into account, following our STOP response framework here. Watch for any unsolicited email or text that references your treatments or support history. Don’t click suspicious links, and don’t share information with people you don’t know. Verify directly with the company using a contact method you trust.

It’s also a good idea to use a tool that scours the dark web for any of your personal information, while also checking your email address against any known breaches. This gives you a heads-up if people are trading (or likely to trade) stolen records about you. Malwarebytes Digital Footprint scanner will do this for you.

---