Breach at Denton County MHMR Center exposes nearly 109,000 records

A cybersecurity incident at the Denton County MHMR Center, a community mental health provider, has exposed the sensitive personal and health information of 108,967 patients.

What happened

According to Claim Depot, Denton County MHMR detected unusual activity in its network system in December 2024, triggering an immediate investigation. Cybersecurity specialists later confirmed that an unauthorized third party accessed the network between December 24 and 25, 2024.

On November 5, 2025, 11 months after the breach, Denton County MHMR Center reported the incident to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). As of December 30, 2026, official disclosures indicate that at least 108,967 individuals nationwide have had their data exposed. Tens of thousands of those affected reside in Texas.

Going deeper

A combination of personally identifiable information (PII) and protected health information (PHI) was accessed during the breach. According to the breach notice, the compromised information may include:

• PII such as:
  • Full names
  • Addresses
  • Social Security numbers
  • Dates of birth
  • Bank account or financial data
• and PHI, including:
  • Medical record numbers
  • Diagnosis and treatment information
  • Lab results and medication details
  • Treating physicians’ names
  • Medical insurance information
  • Biometric identifiers

This combination creates a heightened risk of identity theft, medical fraud, financial loss, and targeted phishing scams.

What was said

Denton County MHMR Center has acknowledged the incident publicly and updated its breach notice on its website. The organization states that it has secured its systems, engaged third-party cybersecurity experts, and strengthened network protections and data security policies in response to the breach. Letters informing affected individuals began going out in late 2025.

In the breach notice, the practice also encourages patients to “remain vigilant against incidents of identity theft and fraud by reviewing credit reports/account statements and explanation of benefits forms for suspicious activity and to detect errors.”

In the know

Under HIPAA’s Breach Notification Rule, covered entities and business associates are legally required to report data breaches without unreasonable delay and no later than 60 calendar days after the breach is discovered, even if a full forensic investigation is still underway. The rule is designed to ensure transparency and give affected individuals timely notice so they can take steps to protect themselves from potential harm, such as identity theft or medical fraud.

Why it matters

A similar breach was observed in October 2024 when Drug and Alcohol Treatment Services, Inc. (DATS), an outpatient center for substance abuse treatment located in Scranton, Pennsylvania, announced a data breach impacting more than 22,000 people. The breach was the result of a network intrusion that may have compromised confidential patient information. Following the same pattern, DATS officially reported the incident to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in April 2025, six months after the breach was identified.

Furthermore, both breaches were delayed in notifying regulators and affected individuals well beyond the 60-day HIPAA deadline, raising concerns about the effectiveness of their breach detection and response processes. Such delays can increase the risk of identity theft and financial fraud, as patients remain unaware of the exposure and are unable to take timely protective actions.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What is considered a data breach under HIPAA?

A data breach under HIPAA occurs when protected health information (PHI) is accessed, used, or disclosed in a way that is not permitted by law and compromises the privacy or security of the information.

Who must be notified in the event of a healthcare data breach?

Affected individuals must be notified directly. Additionally, breaches affecting 500 or more people must be reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights and, in some cases, the media.

How can healthcare organizations prevent network intrusions?

Strong cybersecurity measures such as multi-factor authentication (MFA), regular network monitoring, employee training, timely software updates, and incident response planning are essential to prevent unauthorized access.