Active breach tracker Dallas, TX Disclosed April 3, 2025

Dallas County MHMR dba Metrocare Services Data Breach 2025: 553 Affected · Unauthorized Email Disclosure · TX. Filed With HHS OCR. What To Do.

Dallas County MHMR dba Metrocare Services (TX), a community mental health and IDD provider, filed a HIPAA breach notification with HHS OCR on April 3, 2025, reporting 553 affected individuals. An employee sent encrypted emails containing PHI outside the Metrocare network between June 4, 2023 and February 6, 2025. Exposed data included names, Medical Record Numbers, State Identification Numbers, and admission/discharge dates.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jun 4, 2023

other

Feb 6, 2025

detected

Feb 6, 2025

Breach detected

Apr 3, 2025

filed

Apr 3, 2025

Disclosed publicly

Apr 4, 2025

notified

Data exposed

02

Health records

Don't expire and can't be reissued

Medical Record Numbers (MRN)

03

Contact & insurance

Phishing + targeted scams

First and last names State Identification Numbers (SID) Admission and discharge dates for services with Metrocare
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Dallas County MHMR dba Metrocare Services, the local mental health authority for Dallas County and one of the largest community mental health centers in Texas, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 3, 2025, reporting 553 affected individuals. According to Metrocare’s own April 4, 2025 media notification, an employee sent encrypted emails containing protected health information outside the Metrocare network to a non-Metrocare email account between June 4, 2023 and February 6, 2025, the date the unauthorized data sharing was discovered. The emails were then shared, without Metrocare’s permission, to the network of another healthcare provider where the same individual was also employed.

Timeline

  • June 4, 2023 — Start of the period during which unauthorized PHI disclosures occurred, per Metrocare’s media notification.
  • February 6, 2025 — Metrocare became aware of the unauthorized data sharing event affecting 553 clients.
  • April 3, 2025 — Breach reported to HHS OCR as an Unauthorized Access/Disclosure event at Email and Network Server.
  • April 4, 2025 — Metrocare issued a public media notification describing the incident and remediation.

What was exposed

Per Metrocare’s notification, the disclosed PHI was limited to:

  • First and last names
  • Medical Record Numbers (MRN)
  • State Identification Numbers (SID)
  • Admission and discharge dates for services with Metrocare

Metrocare states that Social Security numbers, financial account information, and clinical notes were not included in the encrypted emails involved in this specific incident. The affected dataset is a subset of Metrocare’s roughly 50,000 annual clients.

Why this incident is sensitive even at 553 records

Metrocare Services is a community mental health center (CMHC) and the designated local intellectual and developmental disability authority (LIDDA) for Dallas County. The fact that an individual appears in Metrocare’s medical record system is, by itself, evidence that the person sought or received behavioral health, substance use, or IDD services from a public mental health provider. That contextual disclosure is far more sensitive than the same data fields would be at a general acute-care hospital:

  • Behavioral health stigma. Confirmation that a person is a Metrocare client signals serious mental illness, substance use treatment, or developmental disability, categories with documented impact on employment, custody, housing, and insurance decisions.
  • IDD population vulnerability. Many Metrocare clients receive services under HCS, TxHmL, or other IDD waiver programs, and a portion are legally incapacitated adults whose guardians, not the clients themselves, can detect or respond to misuse.
  • Medicaid and indigent-care overlap. A large share of Metrocare’s roster is Medicaid-enrolled or county-indigent, populations already at elevated risk of benefits fraud and identity-driven enrollment abuse.
  • State ID number exposure. The SID (State Identification Number) issued by Texas behavioral health systems is, in combination with name and date-of-service, sufficient to correlate a person to a CMHC episode of care.

What Metrocare is offering

Metrocare’s April 4, 2025 media notification describes the response as an internal investigation, deletion of the disclosed information from the receiving healthcare provider’s servers, and ongoing staff training. The publicly available notice does not announce complimentary credit monitoring or identity theft protection for the 553 affected individuals in this specific incident. Affected clients should review the individual notification letter they receive for any specific offering, deadlines, and enrollment codes.

Class-action status

As of this page’s last update, no class-action complaint has been publicly identified that specifically targets the 553-individual April 2025 Metrocare incident. The publicized plaintiff-firm investigations into Metrocare (including Cole & Van Note) are aimed at the separate, later 2025 incident involving approximately 8,599 patients disclosed in October 2025, which is a distinct breach from the one filed on April 3, 2025 and described on this page.

What to do if you may be affected

  • Read your Metrocare notification letter carefully. It will name the specific data elements involved and any complimentary identity protection services offered to you.
  • Treat your State Identification Number (SID) as sensitive. The SID is used to link records across Texas behavioral health systems. If yours was exposed, note it and watch for any out-of-pattern outreach claiming knowledge of your Metrocare history.
  • Watch for behavioral health phishing. Targeted scams aimed at CMHC patients often impersonate clinic schedulers, prescription assistance, or Medicaid renewal teams. Verify any unexpected outreach by calling Metrocare directly at the number printed on prior official correspondence, not on the message you received.
  • Freeze your credit with the three nationwide consumer reporting agencies if you have not already. It is free and takes about ten minutes per bureau.
  • For guardians of IDD clients: review any communications addressed to the client and monitor for unusual changes in benefits, prescriptions, or appointments. Report concerns to Metrocare’s privacy office.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.