The Texas mental health provider disclosed a cyber incident involving extensive patient and financial data.
Denton County MHMR Center reported a data breach to the U.S. Department of Health and Human Services on November 5, 2025, after discovering unauthorized access to its systems. Federal records show that the incident affected at least 108,967 individuals nationwide. The organization later confirmed that the intrusion occurred between December 24 and December 25, 2024, and involved both personally identifiable information and protected health information.
According to the disclosures, the compromised data set included names, addresses, dates of birth, Social Security numbers, bank account information, names of treating physicians, and details of diagnoses and treatments. The combination of medical, financial, and identity data places affected individuals at heightened risk for identity theft, financial fraud, and misuse of health information. While Denton County MHMR Center has not publicly detailed how attackers gained access or who was responsible, the breadth of exposed data suggests a significant compromise of internal systems rather than a limited account incident. The provider posted a formal notice of breach on its website in February 2025 and began notifying impacted individuals by mail.
Denton County MHMR Center stated that it took steps to secure its environment after discovering the intrusion and implemented additional safeguards to prevent further unauthorized access. The organization also established a dedicated call center to assist affected individuals and provided guidance on monitoring accounts and remaining alert to suspicious communications. Officials stressed that the investigation did not find evidence of ongoing access at the time of disclosure, though reviews of the incident and internal controls are continuing.
Mental health organizations are facing growing exposure as both demand for digital services and attacker interest increase. A 2024 peer-reviewed study published in the Journal of Medical Internet Research noted a “surge in the supply and demand of digital mental health support services,” alongside “high-profile cyberattacks specifically targeting mental health and behavioral services.” The researchers warned that cyber incidents involving mental health data can have consequences that are “especially devastating to vulnerable people,” given the sensitivity of diagnoses, treatment histories, and personal circumstances. Unlike many healthcare records, mental health data often remains relevant for decades, meaning breaches can create long-term privacy and safety risks not only for patients, but also for families, caregivers, and support networks.
They often include diagnostic details, treatment histories, and care relationships that can cause long-term privacy harm if misused or disclosed.
Yes. Financial information increases the likelihood of direct monetary fraud in addition to identity theft and medical misuse.
Public and nonprofit health organizations frequently operate with limited security resources, which can increase exposure when attackers gain internal access.