North Texas behavioral practice announces breach with 285k victims

North Texas Behavioral Health Authority (NTBHA) recently began notifying patients of a large breach.

What happened

The North Texas Behavioral Health Authority (NTBHA) recently filed a data breach notice with the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). According to the filing, the data breach impacted 285,086 individuals. It was reported on March 8th, 2026, but uploaded to the portal at some point between then and April 21st. The breach was described as a network hacking incident.

Going deeper

According to NTBHA’s notice, posted on their website, some individuals may have had their Social Security numbers involved. The notice did not provide any additional details about what other information may have been accessed or stolen. In the notice, NTBHA stated that the breach initially took place between October 13th, 2025, and October 15th, 2025. The incident was detected by NTBHA on October 15th, 2025, and an investigation promptly ensued and was completed on January 7th, 2026.

Why it matters

NTBHA is a certified behavioral health clinic, providing treatment for a variety of mental health issues and substance use disorder. The healthcare practice also operates a 24 hour crisis line. Considering the nature of NTBHA’s services, they handle a trove of sensitive data. Data related to mental health and substance use can be particularly private to individuals, and its exposure can feel like a deep invasion of privacy. In fact, last month, Paubox covered the HHS’ announcement of a new breach reporting website specifically aimed to protect substance use disorder records. The portal is part of a larger plan by the HHS to ensure that those facing substance use disorders are able to receive the treatment they need in a timely manner, while still preserving data security measures.

The big picture

The breach at NTBHA marks the 6th largest reported to the HHS so far in 2026, although the breach technically took place in 2025. It falls behind multiple other notable breaches, like that against Hospital Caribbean Medical Center, which impacted approximately 920,000 individuals and QualDerm, which is currently estimated to impact over 3 million people. This year, the US has faced multiple large breaches, suggesting that trends could be heading towards larger and more expensive breaches. Paubox reports have already noted that the average cost of a data breach is approximately $11 million. Class action suits also continue to be a major financial consequence for healthcare practices and as threat actors grow more sophisticated, organizations may need to invest in better software and training to prevent these attacks from forming. While preventive measures, like audits or updated software, may feel like an additional expense, it could be the deciding factor on if a breach will take place.

FAQs

Why didn’t NTBHA disclose what data was involved in the breach?

NTBHA may have decided not to state what information was involved to protect the victims’ privacy as much as possible. Generally, organizations will provide this information, but some choose not to.

Why do these investigations take so long?

Investigations into cyber events usually involve forensics (like analyzing computers and networks) and can be very time-consuming, requiring a high attention to detail. Furthermore, organizations may be coordinating with the FBI, be in communication with threat actors, or be trying to identify the threat actors. In these cases, keeping the information close, rather than sharing it publicly, can help maintain the integrity of the investigation.