Hims breach exposes the most sensitive kinds of PHI

Introduction: A breach of digital trust

In an age where telehealth offers unprecedented convenience for sensitive medical needs, the trust between patient and provider is paramount. That trust was severely compromised for nearly 400,000 individuals when For Hims & Hers, Inc., the popular telehealth company, disclosed a significant data breach. Between April 23 and May 10, 2024, unauthorized actors gained access to systems containing some of the most private and personal protected health information (PHI) imaginable, turning a service of discretion into a source of potential exposure and harm.

The company, which operates brands like Hims, Hers, and Apostrophe, specializes in treatments for conditions many people prefer to manage privately, including hair loss, erectile dysfunction, weight management, and mental health. According to a breach notification filed with the U.S. Department of Health and Human Services (HHS) on June 12, 2024, the exposed data includes not just names and contact information, but the very medical details that brought customers to the platform in the first place. This incident goes beyond typical data breaches, creating a potent risk of blackmail, targeted fraud, and profound personal distress.

Technical details: How the breach occurred

For Hims & Hers described the event as a "data security incident" resulting from "unauthorized access to certain systems." While the company has not publicly disclosed the specific attack vector—such as a phishing attack, a software vulnerability, or credential stuffing—this level of opacity is common during an active investigation. Revealing too much, too soon could compromise remediation efforts or provide a roadmap for other threat actors.

The company stated that its core Electronic Medical Record (EMR) systems and pharmacy databases were not impacted by the breach. This is a critical distinction. It suggests the attackers did not compromise the primary clinical systems but instead gained access to ancillary databases, likely those related to customer relationship management (CRM), marketing, or customer support. These systems often contain a rich tapestry of user data, including full names, dates of birth, contact information, and, crucially, details about their conditions, subscriptions, and treatment histories.

Even without access to the EMR, the compromised data is extraordinarily potent. Threat actors now possess curated lists of individuals linked to specific, often stigmatized, medical conditions. This allows for a level of targeting that is far more dangerous than what is possible with data from a typical retail or social media breach.

Impact assessment: The high cost of exposed secrets

The severity of a data breach is measured not only by the number of records stolen but by the sensitivity of the information within them. By this measure, the Hims & Hers breach is exceptionally severe. The nearly 400,000 affected individuals are now exposed to a unique and dangerous set of risks.

The primary threats include:

• Targeted Phishing and Social Engineering: Threat actors can now craft hyper-realistic scams. Imagine receiving an email or text message that says, "Your recent order for Finasteride is on hold. Please click here to verify your payment details." Because it references a specific and private medical treatment, such a message has a much higher chance of tricking a victim than a generic phishing attempt.
• Extortion and Blackmail: This is perhaps the most significant danger. The data creates a perfect opportunity for criminals to blackmail victims. An attacker could threaten to expose an individual's use of medication for erectile dysfunction or a mental health condition to their family, employer, or social circle unless a ransom is paid. As Roger Grimes, a data-driven defense evangelist at KnowBe4, noted in Dark Reading, "This is the type of information that can easily be used for social engineering, blackmail, and extortion attempts."
• Discrimination and Reputational Damage: If this data were to leak onto public forums or the dark web, it could lead to real-world consequences. Individuals could face discrimination in employment or social settings based on disclosed health conditions. The potential for reputational harm and personal embarrassment is immense.
• Erosion of Trust in Telehealth: Beyond the individuals directly affected, this incident damages the broader telehealth industry. Patients rely on these platforms for privacy and discretion. A breach of this nature can make people hesitant to seek care online, potentially delaying or preventing them from getting necessary medical treatment due to fear of exposure.

This incident is a stark illustration of how the healthcare sector remains a top target for cybercriminals. The value of PHI on the dark web is high precisely because it can be weaponized in such personal and damaging ways. For Hims & Hers now faces the daunting task of rebuilding customer trust while navigating the inevitable regulatory investigations from bodies like the HHS Office for Civil Rights (OCR), which enforces HIPAA and can levy substantial fines for non-compliance.

How to protect yourself

If you are a customer of Hims, Hers, or their associated brands, it is essential to take immediate steps to protect yourself. Even if you have not received a notification letter, exercising caution is wise.

1. Assume You Are a Target: Operate under the assumption that your data was exposed. Be hyper-vigilant about any incoming communications—emails, text messages, or phone calls—that reference your relationship with Hims & Hers or the specific conditions you sought treatment for. Scrutinize sender details and never click on links or download attachments from unsolicited messages.
2. Secure Your Accounts: Immediately change your password for your Hims & Hers account. If you have reused that password on any other website, change it there as well. Enable multi-factor authentication (MFA) wherever it is available. MFA provides a critical layer of defense that can stop an attacker even if they have your password.
3. Monitor Your Finances and Credit: The exposed data includes names, addresses, and dates of birth, which can be used for identity theft. Monitor your bank and credit card statements for any unusual activity. Consider placing a credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion). A freeze prevents anyone from opening new lines of credit in your name.
4. Accept Protection Services: For Hims & Hers is offering complimentary identity theft protection services to affected individuals. Take advantage of this offer. These services can monitor for fraudulent use of your information and assist you in recovery if you become a victim of identity theft.
5. Enhance Your General Digital Privacy: This breach is a reminder of how much of our personal data lives online. For an added layer of online privacy, consider using tools that enhance encryption and mask your digital footprint. A quality VPN service can encrypt your internet connection, making it more difficult for third parties to snoop on your online activities.

The Hims & Hers breach is a painful reminder that in our interconnected world, the security of our most private information is only as strong as the defenses of the companies we entrust it to. For the victims, the coming months will require heightened vigilance. For the telehealth industry, it must serve as a catalyst for strengthening security protocols to ensure that patient data remains what it is supposed to be: confidential.