Exciting News:Introducing Agent Privilege Guard – Runtime Privilege Controls for the Agentic Era

Read More
Login Book a demo

The Hims Data Breach: What Standing Access Costs in Healthcare

Gabriel Avner

April 20, 2026

The Hims Data Breach: What Standing Access Costs in Healthcare post thumbnail

Hims & Hers, one of the biggest telehealth platforms in the U.S., just disclosed that millions of customer records were exposed. Not because of some sophisticated exploit, but because a single compromised login had standing access to a connected platform. 

One identity was all it took.

This breach is worth paying attention to not because it’s unusual, but because it’s so ordinary. 

The access model that made it possible is the same one most companies are still running, and it raises an uncomfortable question: could your vendors prove their privilege controls hold up if someone came looking?

How the Hims Data Breach Unfolded

In early February 2026, the ShinyHunters ransomware gang targeted Hims & Hers as part of a broader campaign against companies using Okta for single sign-on. 

They ran the same play they’ve been running for years: 

  • Impersonate IT support
  • Call employees
  • Talk them into entering credentials and MFA codes on phishing pages

Once inside the compromised Okta SSO account, the attackers didn’t need to escalate privileges or move laterally. The account had standing access to the Hims & Hers Zendesk instance, so they walked straight in and helped themselves to millions of support tickets between February 4th and 7th.

The exposed data included customer names, contact information, and details from support interactions. 

This isn’t the first time ShinyHunters has used a third-party vendor as the way into an enterprise, compromising SSO credentials to slip through vendor platforms and steal customer data from the companies on the other side.

How Third-Party Vendor Access Puts Your Data at Risk

Third-party vendors make attractive targets because they hold broad, persistent access to their customers’ environments, often without the same security oversight those customers apply internally.

That creates risk on both sides. Vendors that suffer a breach become the reason their customers end up in disclosure letters and regulatory conversations. 

For the enterprise, every vendor with standing access to sensitive systems is an extension of your own attack surface that you have less visibility into and less control over.

Enterprise buyers have noticed, and they increasingly want proof that partners manage privileged access with real, auditable controls. 

In healthcare, if a vendor can’t demonstrate least privilege, why would a covered entity hand them ePHI? Proving it starts with how you think about standing access in the first place.

Why Zero Standing Privileges Matters for Healthcare

Zero Standing Privileges (ZSP) is the access model that would have prevented the Hims breach from playing out the way it did: no account should hold continuous privileged access by default. It works through two mechanisms:

  • Just-in-Time (JIT) access grants privileges only when they’re needed and revokes them the second the task is done.
  • Just-Enough Privilege (JEP) scopes those privileges to exactly what the task requires.

If that compromised SSO account had no standing access to Zendesk, the attacker would have taken over the account and found nothing to use.

This is also what the regulations describe. HIPAA’s Security Rule (45 CFR § 164.312) mandates access controls that limit ePHI to authorized individuals, audit mechanisms for every access event, and workforce security measures that revoke privileges when tasks are complete.

The Minimum Necessary Standard (45 CFR § 164.502(b)) requires access be limited to only what’s needed for the specific task. PCI-DSS, SOC 2, ISO 27001, and NIST all land in the same place.

ZSP handles the human side of this problem. But the vendor trust conversation is about to get harder, because human credentials aren’t the only ones with standing access anymore.

AI Agents and the Next Wave of Vendor Access Risk

Healthcare companies are starting to roll out AI tools: coding copilots for engineering teams, customer-facing agents that handle intake data and scheduling. These agents inherit their users’ credentials by default.

Now consider the Hims scenario again, but with agents involved. If a vendor’s customer-facing agent has standing access to ePHI and that vendor’s SSO gets compromised, an attacker isn’t just reading support tickets anymore. They’re potentially accessing whatever those agents can reach, at whatever speed those agents operate.

As more healthcare companies push their vendors to adopt AI tooling, the question of how those vendors govern agent access becomes part of the trust conversation too.

How Apono Enforces Zero Standing Privileges

Whether you’re a vendor trying to prove to healthcare customers that their data is safe with you, or an enterprise trying to hold your vendors to a higher standard, the practical challenge is the same: you need ZSP to actually work in your environment without slowing your teams down. 

That’s what Apono is built to do.

Apono creates ephemeral privileges at the moment of the request, scoped precisely to the task, and eliminates them the instant the work is done. No pre-built roles to activate, no static RBAC structures to layer on top of.

Most PAM tools require someone to pre-define a library of roles that need ongoing maintenance and right-sizing. Apono sidesteps that by generating roles and permissions dynamically, in the native policy language of the target environment, so privileges are right-sized by default.

For AI agents, Apono’s Intent-Based Access Controls evaluate what the agent is trying to do against the sensitivity of the privileges being requested. Low-risk actions proceed automatically, sensitive operations get routed to a human, and everything is logged end to end.

For healthcare organizations, here’s how that maps to the requirements auditors are actually checking:

Mapping Apono to HIPAA Requirements

HIPAA Requirements

Learn more about how Apono helps to secure your ePHI and simplify HIPAA compliance with our HIPAA and HITECH Compliance data sheet

Proving Privileged Access Controls Wins Business

The Hims breach is a reminder that protecting health data isn’t just about satisfying auditors. It’s about whether customers and partners are willing to do business with you at all.

If you’re rethinking how your organization manages privileged access after stories like this, our 2026 Buyer’s Guide to Privileged Access Management breaks down what modern ZSP-ready solutions should look like, what to ask vendors, and how to compare options on the capabilities that actually matter. It includes a full RFP checklist you can use in your evaluation today.

back icon

Back

Related Posts

The JSONFormatter Wake-Up Call: How Developer Tools Are the New Identity Breach Vector post thumbnail

The JSONFormatter Wake-Up Call: How Developer Tools Are the New Identity Breach Vector

Everyone uses developer tools to get through the day. A JSONFormatter ...

The Apono Team

May 7, 2026

A Step-by-Step Guide to Creating a Data Security Policy post thumbnail

A Step-by-Step Guide to Creating a Data Security Policy

Failure to secure data is not an option. The risk of significant finan...

Ofir Stein

March 27, 2024

Build vs. Buy Access Control: Why Apono Is the Smarter Choice for Cloud & Security Teams post thumbnail

Build vs. Buy Access Control: Why Apono Is the Smarter Choice for Cloud & Security Teams

The Access Management Dilemma in Hybrid Environments Security and engi...

The Apono Team

September 30, 2025