Data filtering in Hils and Hers exposes the risk of relying on external suppliers

Hils & Hers, the US telemedicine company that offers subscription treatments for problems such as hair loss, erectile dysfunction, mental health and skin care, has confirmed that it suffered a data leak from a third party customer care platform. The company detected suspicious activity in early February and, after investigation, concluded that some support tickets had been accessed without authorization; the notice sent to the California authorities can be found in the official document published by the State Attorney General: Notification to authorities in California.

Hils & Hers is now one of the best known brands in the online pharmacy and telemedicine services market in the United States, with a strong commercial presence and income that is approaching the order of hundreds of millions per year. The problem was not the medical basis or the communications with the doctors: according to the company, no medical files or clinical messages committed. What was exposed were support requests - tickets - which, in some cases, contained personal data such as names and forms of contact or the information that each client decided to attach when seeking help.

The calendar that the firm itself manages places the unauthorized activity between 4 and 7 February, with the detection of the anomaly on 5 February and the conclusion of the internal investigation on 3 March. As a response measure, Hams & Hers has offered 12 months of credit monitoring to the affected people and has recommended that caution be exercised in the face of unexpected communications, as well as review of credit extracts and reports in search of irregular movements.

The first reports of journalistic research indicate that the incident would be part of a broader campaign in which malicious actors have exploited SSO accounts (single login) to access cloud customer care instances and extract large volumes of tickets. A cybercrime scene actor who has been related to similar leaks is the group known as ShinyHunters; specialized media are reporting on this link and the overall modus operandi of the campaign. For technical coverage of such attacks, please consult the specialized press, for example BleepingComputer.

The vector reported in several cases has been the abuse of SSO accounts from suppliers like Okta to enter customer care tools like Zendesk and download support tickets. These services have become critical customer-company communication deposits and, for that reason, their commitment has multiplier effect: a gap in a supplier can result in mass leaks for dozens of client companies. Zendesk maintains information on the security and status of its services on its transparency portal, which is useful for customers who want to understand impacts and best practices: Zendesk Trust. It is also recommended to review public communication and security tools of identity providers such as Okta: Okta Trust.

From the point of view of the affected user, the most immediate risk does not come as much from clinical exposure as from the possibility of targeted social engineering, supplanting and fraud attacks. When attackers get names, emails or phone numbers, they can create convincing messages that appear to come from the company or financial institutions, in order to obtain sensitive data or induce payments. This is why the basic recommendation is not to respond to unexpected requests, to verify the authenticity of the channels and not to provide additional information by mail or telephone without confirming the identity of the interlocutor.. For practical guidance on how to react to a possible identity theft, the resources of the Federal Trade Commission (FTC) on protection against identity theft should be consulted: FTC Guide.

This incident again highlights a recurring problem in cybersecurity: the risk area extends beyond a company's own infrastructure. The chain of suppliers - identity and access, cloud storage, care platforms - is as strong as its weakest link. Security equipment should require strict access controls, multi-factor authentication policies, periodic permit reviews and segmentation of sensitive data on third-party platforms. At the political and operational level, organisations should also incorporate third-party risk management practices and response protocols that provide for clear and rapid communication to users and authorities.

While all the details are clarified - Hams & Hers has limited public information on the total number of affected customers and external researchers continue to collect evidence - it is reasonable to learn from other recent incidents in which support platforms have been the filtration vector. These cases serve as a reminder that no company handling personal data is completely isolated from the risk of relying on external services.

The conversation about how to protect data in the telemedicine age cannot be limited to ensuring medical records: it must also cover the ways patients contact, pay or seek help. More transparency on the scope of gaps, independent vendor audits and a safety culture that prioritizes access control and early detection are essential measures to reduce the likelihood of incidents like this being repeated. For more institutional information on supply chain threats and third party risks, the US agency CISA offers resources and general recommendations: CISA.

If you are a Hils & Hers client and received notification, follow the instructions that have been sent to you, accept credit monitoring if available and keep your guard high in the face of suplanting attempts. If you have not yet been contacted but are a recent customer, it is appropriate to review your communications with the company and any old ticket that could contain sensitive information; in case of doubt, ask the company for details on the nature of the data presented and the remedies it is applying.