Skip to main content
Get current outsource call center pricing, along with benefits and trends by region, in our eBook:Download 2026 BPO Market Trends & Pricing
  • Home
  • Blog
  • When the Support Desk Is the Breach: What the Hims & Hers Hack Means for Patient Trust

When the Support Desk Is the Breach: What the Hims & Hers Hack Means for Patient Trust

Posted: 6/29/2026
CX Content hide
1. How Hackers Turned the Hims & Hers Support Desk Into a Breach
2. Why Your Support Platform Is Now Part of Your Attack Surface
3. Vet the Security of Your Support Stack, Not Just the Price and the CSAT
4. What Healthcare CX Leaders Should Ask Before the Next Support Deployment
5. FAQs
5.1. Was protected health information exposed in the Hims & Hers breach?
5.2. How did attackers get into the support system?
5.3. What should a healthcare contact center look for in a support platform vendor?
5.4. Does outsourcing customer support increase breach risk?
5.5. What is the first move if this scenario worries us right now?
6. Sources

How Hackers Turned the Hims & Hers Support Desk Into a Breach

Hims & Hers, the telehealth company known for weight-loss and sexual-health prescriptions, disclosed in an April 2 filing with the California Attorney General that attackers broke into the third-party system its customer support team uses to handle requests.

According to the breach notice and reporting by TechCrunch, intruders accessed the company’s third-party customer support ticketing platform between February 4 and February 7 and took support tickets containing personal information that customers had submitted. A company spokesperson told TechCrunch the stolen data “primarily included customer names and email addresses,” and said the company was hit by a social engineering attack in which employees were tricked into granting access. Security reporting from Malwarebytes and others has tied the intrusion to the ShinyHunters extortion group’s broader campaign abusing Okta single sign-on, and identified the platform as Zendesk.

Hims & Hers has said customer medical records were not affected and is offering 12 months of free credit monitoring. Even so, as TechCrunch noted, the nature of a support system means the data can still carry sensitive context about a person’s account and care. Dark Reading framed the exposure as the kind of information patients least want loose, given what people bring to a telehealth support conversation.

This is not the first support desk to become the soft entry point. In late 2025, Discord disclosed a breach of its support ticketing system that exposed roughly 70,000 government IDs people had uploaded for age verification. The pattern is the point.

Why Your Support Platform Is Now Part of Your Attack Surface

For a long time, security teams guarded the product, the app, and the core database, while the contact center was treated as an operations line item. That mental model is now a liability.

Support systems are a concentration of exactly what attackers want: real customer identities, contact details, and the freeform notes agents take while solving a problem. In healthcare and telehealth, those notes can imply diagnosis, medication, or treatment category even when no formal medical record is touched. The ticketing queue holds the story of the customer, not just the record of the transaction.

The entry method matters too. This class of failure rarely starts with a clever exploit. It starts with a person. Social engineering against support and IT staff, and the reuse of single-sign-on access across connected tools, is how attackers keep landing inside support stacks across industries. The failure mode is human and procedural before it is technical, which means it lives squarely in how a CX operation is run, staffed, trained, and vetted.

This pattern shows up wherever support is handled at scale, including in-house teams and outsourced ones. Oversights and gaps in access control, vendor security review, and agent training can produce results like this anywhere. Stating that as a pattern is not a claim about what any single company did or failed to do internally.

Vet the Security of Your Support Stack, Not Just the Price and the CSAT

Here is our read. Most CX vendor selection still optimizes for cost per contact, handle time, and CSAT, and treats security as a checkbox somebody in procurement will confirm later. When the support desk is now a primary target, that ordering is backwards.

Our call center search and selection process is built to surface this class of risk by design, because security posture, access governance, and social-engineering resilience are part of how a partner gets vetted, not an afterthought once the contract is signed. The same discipline applies to the platforms your in-house team runs. Independent review exists to ask the uncomfortable questions before they become a disclosure filing.

We are agnostic about which platform or partner you land on, and there is no cost to your team for the advisory work, which is the point of the CX Dream Path. The goal is not to sell you a tool. The goal is to make sure the support layer you depend on can absorb a targeted attack without becoming the headline. If this example concerns you, weigh your own risk profile against the oversights and failure modes that emerge when brands stand up customer support, in-house or outsourced, without independent CX advisory in the room.

None of this is grave-dancing. Any operator running support at this scale is one convincing phone call away from being the case study. The work is to make that call fail.

What Healthcare CX Leaders Should Ask Before the Next Support Deployment

If patient support is your seat, these are the questions worth putting in front of every current and prospective partner, and your own team:

  • Who can access the support ticketing system, from where, and how is that access revoked the day someone leaves or changes roles?
  • Is single sign-on hardened with phishing-resistant multifactor authentication, and is support staff access scoped to least privilege?
  • What is the social-engineering training cadence for agents and supervisors, and when was the last tested simulation?
  • How long do resolved tickets retain customer data, and is sensitive context in freeform notes minimized or masked?
  • What is the breach notification chain between your BPO, the platform vendor, and your team, and how fast does it trigger?
  • Does your vendor due diligence actually score security and access governance, or does it stop at price, capacity, and CSAT?

If you cannot get clean answers to those questions, that gap is the finding. Our healthcare CX advisors and broader CX strategy work exist to pressure-test exactly this before a deployment, not after a disclosure.

FAQs

Was protected health information exposed in the Hims & Hers breach?

The company has said customer medical records were not affected, and a spokesperson said the stolen data primarily included names and email addresses. That said, support tickets in a telehealth context can carry sensitive account and care context, which is why security reporting treated the exposure as more sensitive than a typical retail leak. Treat the company’s statements as their account of the incident, not as a final independent finding.

How did attackers get into the support system?

According to the company and reporting by TechCrunch, the intrusion involved a social engineering attack that tricked employees into granting access, rather than a software exploit. Security researchers have linked it to a wider campaign abusing single sign-on. The lesson for CX leaders is that the human and access-control layer of a support operation is now a primary target.

What should a healthcare contact center look for in a support platform vendor?

Look beyond price and CSAT to access governance, phishing-resistant multifactor authentication, least-privilege scoping, data retention and masking in tickets, social-engineering training cadence, and a clear breach notification chain. The most important features of a support platform in healthcare are the ones that limit blast radius when, not if, someone tries to social-engineer their way in.

Does outsourcing customer support increase breach risk?

Not inherently. Risk comes from weak access governance and vetting, which can exist in-house or with a partner. A rigorous search and selection process that scores security alongside cost and quality reduces risk regardless of who staffs the desk. The differentiator is whether security is vetted up front rather than assumed.

What is the first move if this scenario worries us right now?

Inventory who can touch your support ticketing system and how that access is controlled, then map your vendor due diligence against the questions above. If security is not already a scored part of how you select and review support partners, that is the gap to close first. Independent advisory can run that review at no cost to your team.

Sources

  • Zack Whittaker, “Telehealth giant Hims & Hers says its customer support system was hacked,” TechCrunch, April 2, 2026. Link
  • “Hims & Hers reports data breach in support system,” Modern Healthcare, April 2026. Link
  • “Hims Breach Exposes the Most Sensitive Kinds of PHI,” Dark Reading, April 2026. Link
  • “Support platform breach exposes Hims & Hers customer data,” Malwarebytes, April 2026. Link
  • Hims & Hers data breach notice, California Office of the Attorney General (filed April 2, 2026). Link

 

Outsource Consultants - Your Call Center Outsourcing Experts

About Outsource Consultants

Outsource Consultants is a CX advisory firm that excels in creating strong connections between organizations, outsource contact centers, and CX technology providers. We are committed to helping our clients simplify their customer experience strategies while delivering cost savings, improved performance, and targeted business outcomes.

Our unbiased, provider-agnostic approach sets us apart. With over a decade of outsourcing experience crafting expert BPO strategies for organizations, our team offers unparalleled expertise in CX and contact center operations.

We match your unique business needs with ideal outsourced contact centers and technology providers. From our extensive vendor database, we find the perfect partner for you, whether you aim to cut costs or boost customer service with advanced technology. We meet you where you are with a tailored solution.

Choosing Outsource Consultants as your CX advisor means more than just cutting costs; it’s a partnership aimed at transforming your customer experience. Our expert guidance helps you invest wisely, paving the way to your ideal Dream State of CX and distinguishing you in a competitive market. We deliver comprehensive solutions tailored to your key objectives, seamlessly covering everything from strategic planning to long-term provider management.

Get Started With a Free Cost Proposal
150+
Combined years of CX industry experience
1000+
Heavily vetted call center locations
500+
Heavily vetted AI + technology solutions
96%
Average CSAT Score
Outsourcing Resources
We are constantly creating free call center resources to help you in your BPO search. Check out these featured resources, or browse the entire collection.
Get Free Resources
Put Our Experience to Work

Our unbiased CX advisory services simplify your path forward by combining flexible contact center outsourcing and AI technology. We create a clear path to CX success within your budget and time constraints, leveraging the best combination of top-performing partners from our extensive BPO and AI technology portfolio.

Book A Strategy Call
//