Dallas County MHMR dba Metrocare Services Data Breach 2025: 553 Affected · Unauthorized Email Disclosure · TX. Filed With HHS OCR. What To Do.
Dallas County MHMR dba Metrocare Services (TX), a community mental health and IDD provider, filed a HIPAA breach notification with HHS OCR on April 3, 2025, reporting 553 affected individuals. An employee sent encrypted emails containing PHI outside the Metrocare network between June 4, 2023 and February 6, 2025. Exposed data included names, Medical Record Numbers, State Identification Numbers, and admission/discharge dates.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 4, 2023
other
Feb 6, 2025
detected
Feb 6, 2025
Breach detected
Apr 3, 2025
filed
Apr 3, 2025
Disclosed publicly
Apr 4, 2025
notified
Jun 4, 2023
other
Feb 6, 2025
detected
Feb 6, 2025
Breach detected
Apr 3, 2025
filed
Apr 3, 2025
Disclosed publicly
Apr 4, 2025
notified
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Dallas County MHMR dba Metrocare Services, the local mental health authority for Dallas County and one of the largest community mental health centers in Texas, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 3, 2025, reporting 553 affected individuals. According to Metrocare’s own April 4, 2025 media notification, an employee sent encrypted emails containing protected health information outside the Metrocare network to a non-Metrocare email account between June 4, 2023 and February 6, 2025, the date the unauthorized data sharing was discovered. The emails were then shared, without Metrocare’s permission, to the network of another healthcare provider where the same individual was also employed.
Timeline
- June 4, 2023 — Start of the period during which unauthorized PHI disclosures occurred, per Metrocare’s media notification.
- February 6, 2025 — Metrocare became aware of the unauthorized data sharing event affecting 553 clients.
- April 3, 2025 — Breach reported to HHS OCR as an Unauthorized Access/Disclosure event at Email and Network Server.
- April 4, 2025 — Metrocare issued a public media notification describing the incident and remediation.
What was exposed
Per Metrocare’s notification, the disclosed PHI was limited to:
- First and last names
- Medical Record Numbers (MRN)
- State Identification Numbers (SID)
- Admission and discharge dates for services with Metrocare
Metrocare states that Social Security numbers, financial account information, and clinical notes were not included in the encrypted emails involved in this specific incident. The affected dataset is a subset of Metrocare’s roughly 50,000 annual clients.
Why this incident is sensitive even at 553 records
Metrocare Services is a community mental health center (CMHC) and the designated local intellectual and developmental disability authority (LIDDA) for Dallas County. The fact that an individual appears in Metrocare’s medical record system is, by itself, evidence that the person sought or received behavioral health, substance use, or IDD services from a public mental health provider. That contextual disclosure is far more sensitive than the same data fields would be at a general acute-care hospital:
- Behavioral health stigma. Confirmation that a person is a Metrocare client signals serious mental illness, substance use treatment, or developmental disability, categories with documented impact on employment, custody, housing, and insurance decisions.
- IDD population vulnerability. Many Metrocare clients receive services under HCS, TxHmL, or other IDD waiver programs, and a portion are legally incapacitated adults whose guardians, not the clients themselves, can detect or respond to misuse.
- Medicaid and indigent-care overlap. A large share of Metrocare’s roster is Medicaid-enrolled or county-indigent, populations already at elevated risk of benefits fraud and identity-driven enrollment abuse.
- State ID number exposure. The SID (State Identification Number) issued by Texas behavioral health systems is, in combination with name and date-of-service, sufficient to correlate a person to a CMHC episode of care.
What Metrocare is offering
Metrocare’s April 4, 2025 media notification describes the response as an internal investigation, deletion of the disclosed information from the receiving healthcare provider’s servers, and ongoing staff training. The publicly available notice does not announce complimentary credit monitoring or identity theft protection for the 553 affected individuals in this specific incident. Affected clients should review the individual notification letter they receive for any specific offering, deadlines, and enrollment codes.
Class-action status
As of this page’s last update, no class-action complaint has been publicly identified that specifically targets the 553-individual April 2025 Metrocare incident. The publicized plaintiff-firm investigations into Metrocare (including Cole & Van Note) are aimed at the separate, later 2025 incident involving approximately 8,599 patients disclosed in October 2025, which is a distinct breach from the one filed on April 3, 2025 and described on this page.
What to do if you may be affected
- Read your Metrocare notification letter carefully. It will name the specific data elements involved and any complimentary identity protection services offered to you.
- Treat your State Identification Number (SID) as sensitive. The SID is used to link records across Texas behavioral health systems. If yours was exposed, note it and watch for any out-of-pattern outreach claiming knowledge of your Metrocare history.
- Watch for behavioral health phishing. Targeted scams aimed at CMHC patients often impersonate clinic schedulers, prescription assistance, or Medicaid renewal teams. Verify any unexpected outreach by calling Metrocare directly at the number printed on prior official correspondence, not on the message you received.
- Freeze your credit with the three nationwide consumer reporting agencies if you have not already. It is free and takes about ten minutes per bureau.
- For guardians of IDD clients: review any communications addressed to the client and monitor for unusual changes in benefits, prescriptions, or appointments. Report concerns to Metrocare’s privacy office.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Metrocare Services Media Notification (April 4, 2025) — the entity’s own statement, source of the 553 figure, the June 4, 2023 to February 6, 2025 disclosure window, and the exposed-data list.
- Metrocare Services Press Releases — index page on which the April 4, 2025 notification is hosted.
- HIPAA Journal — Heritage Communities & Metrocare Services Data Breach — independent trade-press summary corroborating Metrocare’s account.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Metrocare Services Media Notification (April 4, 2025)
- Metrocare Services Press Releases
- HIPAA Journal — Heritage Communities & Metrocare Services Data Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.