No, he doesn't. All he needs is to either have used a sniffer and snagged one of the messages you sent to your cousin, the header of which contains both your own e-mail address and your cousin's, or any e-mail you sent with your cousin sent to you in a group of recipients (whether To:, CC:, or BCC:) or vice versa.
In addition, criminals sell and resell lists of e-mail addresses thus culled and thus associated. If I send out a single e-mail message to 15 of my contacts that happens to be intercepted by a sniffer, the person who "sniffed" knows for certain that my e-mail address is real and active as of the moment the message was sent and that it is highly likely that those of all the recipients are, too. He or she can then choose any one of the recipient addresses to use to try to spoof or phish me and everyone else that was in the list of recipients. When lists containing untold millions of these lists of associated addresses that have been aggregated over time and sold and resold on the black market (and, though not used for phishing or spoofing, on the not-black markets, too) it's just too simple to get a ready supply without much of any effort at all.
If you have an e-mail message in your inbox that was sent to you as part of a group of recipients, or a message in your sent box that was sent to a group of recipients, I suggest you do whatever it is that your e-mail client requires you to do in order to "Show header" for that message. You will see everything I've outlined above.
People need to have a much better understanding of exactly how e-mail works and that e-mail headers (and e-mail bodies, too), are not confidential in any meaningful sense unless you were to be using end-to-end encrypted e-mail service, and most of us are not.
One's e-mail account itself is very seldom hacked to obtain the information needed to go on a phishing expedition or to spoof because it's just so much easier to get via other means.