Chairman Cassidy Continues Protecting Americans’ Private Data, Cracking Down on Cybersecurity Threats

WASHINGTON - U.S. Senator Bill Cassidy, M.D. (R-LA), Chairman of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, raised concerns about the recent cybersecurity incident threatening the private health data of Hims & Hers users.

"At a time when hostile actors are increasingly using sophisticated tactics leveraging artificial intelligence, it is essential for the health care sector to take meaningful steps to safeguard patient and consumer information," wrote Dr. Cassidy. "While Hims & Hers has stated that 'customer medical records were not impacted by this incident,' additional transparency is needed about what information hostile actors accessed, how Hims & Hers safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward."

Background:

As Chairman, Cassidy is leading efforts to protect Americans' private data. Earlier this Congress, the HELP Committee passed Cassidy's Health Care Cybersecurity and Resilience Act to safeguard Americans' health data. He has also investigated several cybersecurity lapses, including those by Canvas, OPEXUS and UnitedHealth Group.

Read the full letter here or below:

Dear Mr. Dudum:

Cybersecurity threats are one of the most significant risks currently affecting the health care system. In 2025, there were 628 reported health care data breaches, resulting in delayed care, patient data stolen or accessed without authorization, and a potential for increased fraud.¹ At a time when hostile actors are increasingly using sophisticated tactics leveraging artificial intelligence, it is essential for the health care sector to take meaningful steps to safeguard patient and consumer information.

The recent cybersecurity incident affecting Hims & Hers highlights the risk cybersecurity incidents pose to patients. While Hims & Hers has stated that "customer medical records were not impacted by this incident," additional transparency is needed about what information hostile actors accessed, how Hims & Hers safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward.²?To that end, I request answers to the following questions by June 8, 2026:

1. What security protocols, both cyber and physical, does Hims & Hers have in place to protect against a cyberattack?
2. How does Hims & Hers incorporate cybersecurity best practices implemented by other critical infrastructure sectors?
3. When did Hims & Hers first become aware of a cyber incident affecting its systems?
4. When did Hims & Hers notify federal agencies of a cyber incident, and which agencies did Hims & Hers notify?
5. Hims & Hers has stated that "personal information related to a limited set of individuals" may have been accessed without authorization.³

1. What information was contained in this dataset?
2. What steps is Hims & Hers taking to identify any additional information that may have been accessed?
3. How is Hims & Hers proactively communicating with potentially impacted individuals and entities?

1. What remedial steps has Hims & Hers taken or intend to take to improve its security protocols?
2. What additional reporting does Hims & Hers commit to doing for individuals who have had their information disclosed, beyond the reporting requirements under the Health Insurance Portability and Accountability Act (HIPAA)?

###

For all news and updates from HELP Republicans, visit our website or Twitterat @GOPHELP.