They had sensitive conversations stored that were accessed. From what I've seen, always enable two-factor authentication on any app that handles personal health data.