What Hims & Hers’ European Expansion Signals for Health Tech Security
TL;DR
When Hims & Hers announced their acquisition of ZAVA, a digital health platform with reach across the UK, Germany, France, and Ireland, it was a signal. The DTC health brand is expanding care delivery across borders, backed by ZAVA’s 2.3 million consultations and trusted clinical operations. In plain terms: Hims & Hers just plugged into Europe’s healthcare infrastructure overnight. It’s a smart move. But from a security and compliance standpoint, it’s become a complex one.
A Growth Play and CIO's Nightmare
When you expand internationally, you add customers, and challenges.
Here are a few:
Jurisdictional complexity
Data sovereignty requirements
Vendor footprints you didn’t build
Privacy frameworks beyond HIPAA (i.e., GDPR)
ZAVA brings impressive digital infrastructure, but it also comes with systems, contracts, and historical risk that now fall under the Hims & Hers' umbrella.
As a health tech leader, this raises the question:
“If your company made this kind of move… would your current security posture hold up?”
What Good HIPAA Compliance Tells Us
Here’s how this plays out in real terms:
Due diligence
Can you map and monitor all third-party vendors you inherit? Does your BAAs allow the US entity to process ePHI in other countries? Can teams in other countries work on US systems that contain ePHI?
Privacy laws are not the same
HIPAA may be your foundation, but GDPR governs how data must be stored, accessed, and retained in the EU. Does your current teams support dual compliance?
Incident Response must be time-zone fluent
Breach notification timelines vary. Your response times need to account for international coordination. It's highly likely 24/7 security ops will be required.
These are the exact kinds of gaps our HIPAA Exposure Guide helps teams find.
It’s a 30 minute leadership self-audit across governance, vendors, incident readiness, and more.
If you’re growing or acquiring this will show you where your posture is fragile.
👉Grab it here
You May Not Be Expanding But You’re Already at Risk
You don’t need to acquire a company in Germany to inherit European risk.
Many U.S. based digital health companies already:
❌ Employ a workforce across boarders
❌ Use solutions with foreign data processors
❌Partner with vendors who outsource without disclosing it
I've seen some of this firsthand, and heard about others from reliable sources.
The moment your footprint extends through another entity EVEN through a signed BAA your risk expands.
A strong HIPAA posture is about expertise, alignment, and leading with clarity not assumption.
If you're a growing digital health company and need clarity on where your HIPAA posture stands, this guide will help.
👉Download the HIPAA Exposure Guide
Would You Be Ready for This Kind of Expansion?
If you were in Hims & Hers’ position, ready to acquire a digital health company in another country, hear are some questions I recommend you ask?
Where does your PHI live?
How big is your security team?
How do you vet your vendors?
When was the last time you had a security assessment?
What’s their breach track record and is it documented?
Tip: As a CIO you should conduct a security assessment as part of the due diligence process.
Let’s Open This Up!
Let’s make this a leadership conversation, not just a legal one.
What would you evaluate first in a cross-border expansion?
Drop your answer in the comments 👇
