Telehealth Giant Him & Hers Announces Data Breach

Posted by Steve Alder

The direct-to-consumer telehealth company Him & Hers has experienced a data breach. In early February, an unauthorized third party gained access to its third-party customer service platform and acquired support tickets that contained personal information.

Suspicious activity was identified within the customer service platform on February 5, 2026. Him & Hers took steps to secure the platform and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to the platform from February 4, 2026, to February 7, 2026. During that time, certain tickets sent to the customer service team were subjected to unauthorized access or were acquired.

Him & Hers reviewed the affected tickets and, on March 3, 2026, confirmed that they contained personal information such as names and contact information; however, customers’ medical records were not involved, and there was no unauthorized access to communications with healthcare providers on the platform. Law enforcement was notified about the incident, and individual notification letters are being mailed to the affected individuals. While the data compromised in the incident is limited, Him & Hers is offering complimentary single-bureau credit monitoring and identity theft protection services for 12 months.

Him & Hers has conducted a review of its policies and procedures related to privacy and security and is taking steps to prevent similar incidents in the future. While the incident has been reported to regulators, including the California Attorney General, Him & Hers has not publicly disclosed the number of individuals affected by the incident.

The threat group behind the attack was not disclosed by Him & Hers; however, Bleeping Computer reports that the ShinyHunters threat group was behind the attack. The attack was part of a broader campaign targeting multiple companies. The threat group compromises Okta SSO accounts to gain access to data storage environments and steals data for extortion purposes. In this case, ShinyHunters used the Okta SSO account to access the Him & Hers Zendesk instance and stole millions of support tickets.

The post Telehealth Giant Him & Hers Announces Data Breach appeared first on The HIPAA Journal.

Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation

Posted by Steve Alder

Cardiovascular Consultants in Arizona has settled a class action lawsuit stemming from a 2023 data breach involving the protected health information of 484,000 individuals. The data breach was detected on September 29, 2023, and the forensic investigation determined that a hacker had gained access to its network two days previously. Files containing patient information were exfiltrated before ransomware was used to encrypt files.

The compromised files contained patient and guarantor information, including names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records. Notification letters were mailed on December 2, 2023.

A class action complaint was filed in December 2023 by plaintiffs Michele Stroup and Georgios Asimakopoulos, and additional plaintiffs later joined the litigation as class representatives. The defendant denied all claims in the lawsuit and sought to have the lawsuit dismissed. That attempt was only partially successful, with a judge granting and denying the motion to dismiss in part. An amended complaint – Stroup, et al. v. Cardiovascular Consultants Ltd. – was filed, which is pending in the Superior Court of the State of Arizona, County of Maricopa.

The lawsuit alleged that the defendant failed to implement reasonable security protections to safeguard its information systems and databases, and that the handling of the data breach was deficient, with notifications unreasonably delayed. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, violation of the Arizona Consumer Fraud Act, and invasion of privacy, all of which were denied by the defendant.

Following mediation, a settlement was agreed that was acceptable to all parties, allowing them to avoid further litigation costs and the uncertainty of a trial. Under the terms of the settlement, Cardiovascular Consultants has agreed to establish a $3,850,000 settlement fund to cover all costs associated with the litigation, including attorneys’ fees and expenses, notice and administration costs, and service awards for the class representatives.

The remainder of the settlement fund will be used to pay benefits to the class members. Class members may claim two years of medical monitoring plus one or two cash payments – a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member and/or a pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 18, 2026. Individuals wishing to object to the settlement or exclude themselves must do so by June 1, 2026. The deadline for submitting a claim is July 1, 2026.

The post Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation appeared first on The HIPAA Journal.