Your Help Desk Is the Heist — What the Hims Breach Teaches Healthcare

Here's a trick I used to pull in the '90s. I wouldn't go after the mainframe. I wouldn't try to brute-force a login. I'd call the help desk. The person on the other end of the line wanted to help - that was literally their job - and they had access to everything I needed. The help desk was never the target. It was always the door.

Thirty years later, the door is still wide open. It's just digital now.

Hims & Hers Health - the telehealth company you've seen on every podcast ad and highway billboard - just disclosed that attackers breached their third-party customer support platform and walked out with support tickets full of protected health information. ShinyHunters, the group behind breaches at Ticketmaster, AT&T, and dozens of others, claimed the hit. The data includes names, email addresses, and unspecified "medical information." Given what Hims actually sells, that last part should terrify you.

The support stack is the soft underbelly

Let me walk you through this the way an attacker would.

You're scoping a target. The main application is locked down - SSO, MFA, the works. But then you look at the edges. The support platform. The ticketing system. The chatbot backend. These are third-party SaaS tools, bolted on, often with their own auth, their own data retention policies, their own attack surface. And they're sitting on a goldmine: every customer complaint, every prescription question, every "I need help with my order" message - all containing PII and PHI, just sitting in plaintext ticket fields.

That's exactly what happened at Hims. An attacker gained access to the support platform on February 4. Hims says they noticed suspicious activity on February 5 and "promptly took steps to secure" it. But the attacker maintained access until February 7. Three full days inside a system full of patient data.

It then took Hims a month to figure out what was actually in those tickets. Another month to start telling customers. That's a two-month gap between compromise and notification. In healthcare, that's not just slow - it's the kind of timeline regulators build enforcement actions around.

The blackmail math is ugly

Here's where this gets darker than your average breach.

Hims doesn't sell generic widgets. It sells treatments for erectile dysfunction, hair loss, weight management, and mental health conditions. Its customer base skews young - men and women at stages of life where these issues carry real stigma. The people filing support tickets about their prescriptions aren't expecting that conversation to end up in a threat actor's dump.

If ShinyHunters - or whoever actually pulled this off - got anything beyond basic PII, the extortion potential is staggering. This isn't "we have your email and a password hash." This is "we know you're 28 years old and getting treatment for ED, and here's your real name attached to it." That's not identity theft. That's blackmail. And ShinyHunters has a documented history of leaking data when victims don't pay.

We haven't seen Hims data surface on any leak forums yet. That silence could mean a payout already happened - or that the clock is still ticking.

Your healthcare org has the same problem

If you're reading this from a hospital, a health plan, or a digital health company, I need you to do something right now. Pull up a list of every third-party platform that touches patient or member data. Your ticketing system. Your live chat tool. Your call center recording platform. Your workforce management app for scheduling support staff.

Now ask yourself: do those systems have the same security controls as your EHR? The same access reviews? The same logging and monitoring? The same data retention policies?

I already know the answer.

Baker Johnson from UJET nailed it in his response to the Hims incident: "Customer service is now one of the richest sources of personal data in the business, but it's still managed across a patchwork of disconnected systems - recordings here, transcripts there, workflows somewhere else. That fragmentation is what creates risk."

He's right. And in healthcare, the fragmentation is worse because the data is regulated. A support ticket containing a patient's medication question is PHI under HIPAA. It needs the same protections as a clinical note in your EHR. But most organizations don't treat it that way. The support platform is managed by a CX team, not the security team. The contract was signed by procurement, not the CISO. And nobody ran a security assessment because "it's just a ticketing tool."

What an attacker sees that you don't

When I used to case a target, I looked for exactly this kind of organizational gap - the space between what the security team controls and what they think they control. Support platforms live in that gap. They're authorized to hold sensitive data, but they're not hardened like the systems that were purpose-built for it.

An attacker probing your environment sees your support stack as a parallel database of PHI with weaker authentication, longer data retention, broader access, and less monitoring. It's the path of least resistance.

The fix isn't buying another tool. It's treating your support infrastructure like what it actually is: a system of record for protected health information. That means:

• Access controls that match your clinical systems. Role-based access, MFA, session timeouts - not the vendor defaults.
• Data minimization in ticket fields. Stop letting freeform text fields accumulate PHI. If a patient writes their diagnosis into a chat box, you need automated redaction or at minimum flagging and retention controls.
• Continuous monitoring, not quarterly audits. If Hims had behavioral analytics on their support platform, three days of unauthorized access wouldn't have happened. You need real-time detection on the tools where your most sensitive conversations happen.
• Vendor security that's actually verified. A SOC 2 badge on a marketing page isn't assurance. Demand evidence. Test it. If your support vendor can't demonstrate how they detect unauthorized access to your tenant, find one that can.

This is what autonomous agents are for

At SecUnit, this is the exact problem our agents are built to solve. Not just monitoring the EHR and the network perimeter, but watching the full blast radius of your data - including the third-party platforms where PHI leaks into support tickets, chat logs, and CRM fields. Our agents don't sleep. They don't need a month to figure out what data was exposed. They detect anomalous access patterns in real time and contain the damage before an attacker has three days to exfiltrate at their leisure.

The Hims breach is a case study in what happens when you secure the front door but leave the service entrance unguarded. In healthcare, where every piece of patient data is both a regulatory liability and a blackmail opportunity, you cannot afford that gap.

If your support platform isn't monitored the way your clinical systems are, you don't have a security program. You have a security suggestion.

Start treating every system that touches patient data like it matters. Because to an attacker, it already does.