Denton MHMR Center Data Breach 2025: 108,967 Patients Exposed in December 2024 Network Intrusion at North Texas Mental Health Authority
Denton County MHMR Center confirmed that an unauthorized third party accessed its network on December 24-25, 2024 and exposed names, Social Security numbers, financial information, and detailed mental-health treatment records for 108,967 current and former patients. The local mental-health authority posted a substitute notice in February 2025, completed its forensic review in October 2025, and filed with HHS OCR on November 5, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 24, 2024
Unauthorized third party accesses Denton County MHMR Center's network; unusual activity identified on or around the same day
Dec 24, 2024
Breach detected
Dec 25, 2024
Unauthorized access ends; intrusion window confirmed as a roughly 24-hour period
Feb 21, 2025
Denton County MHMR Center posts substitute breach notice on dentonmhmr.org
Oct 10, 2025
Forensic investigation and data review completed
Nov 5, 2025
HIPAA breach report submitted to HHS OCR: 108,967 individuals affected, Hacking/IT Incident at Network Server
Dec 30, 2025
Substitute notice on dentonmhmr.org updated with detailed data elements; complimentary credit monitoring offered; individual mailings underway
Jan 5, 2026
Notice of data breach filed with the Texas Attorney General; 56,872 Texas residents reported affected
Jan 6, 2026
Multiple plaintiffs' firms publicly announce class-action investigations
Dec 24, 2024
Unauthorized third party accesses Denton County MHMR Center's network; unusual activity identified on or around the same day
Dec 24, 2024
Breach detected
Dec 25, 2024
Unauthorized access ends; intrusion window confirmed as a roughly 24-hour period
Feb 21, 2025
Denton County MHMR Center posts substitute breach notice on dentonmhmr.org
Oct 10, 2025
Forensic investigation and data review completed
Nov 5, 2025
HIPAA breach report submitted to HHS OCR: 108,967 individuals affected, Hacking/IT Incident at Network Server
Dec 30, 2025
Substitute notice on dentonmhmr.org updated with detailed data elements; complimentary credit monitoring offered; individual mailings underway
Jan 5, 2026
Notice of data breach filed with the Texas Attorney General; 56,872 Texas residents reported affected
Jan 6, 2026
Multiple plaintiffs' firms publicly announce class-action investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Denton County MHMR Center — the local mental-health and intellectual/developmental-disability (IDD) authority for North Texas, doing business as My Health, My Resources — confirmed that an unauthorized third party accessed its network during a roughly 24-hour window on December 24-25, 2024 and exposed sensitive personal, financial, and behavioral-health information for 108,967 current and former patients. The agency posted a substitute notice on dentonmhmr.org on February 21, 2025, finished its forensic review on October 10, 2025, and filed the HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights on November 5, 2025. A separate filing with the Texas Attorney General on January 5, 2026 reported that 56,872 Texas residents were among the affected.
The exposure is unusually sensitive even by healthcare-breach standards: Denton County MHMR is a publicly funded mental-health authority, and the data fields confirmed in its updated substitute notice include diagnoses, medications, treatment history, treating physician names, and biometric identifiers tied to people receiving mental-health and IDD services.
Timeline
- December 24, 2024 — Denton County MHMR Center identifies unusual activity on its computer network. The subsequent forensic investigation confirms that an unauthorized third party had access to the network.
- December 24-25, 2024 — Confirmed unauthorized access window. The intruder’s access ends within approximately 24 hours.
- February 21, 2025 — Denton County MHMR posts a substitute Notice of Data Breach on dentonmhmr.org. At this stage the notice is general; the full list of data elements and the affected count have not yet been finalized.
- October 10, 2025 — Forensic investigation and data review complete, per HIPAA Journal’s reporting.
- November 5, 2025 — Denton County MHMR files the HIPAA breach report with HHS OCR. The portal lists 108,967 individuals affected, categorized as a Hacking/IT Incident at Network Server. This is roughly 11 months after the intrusion — well outside the 60-day HIPAA Breach Notification Rule clock.
- December 2025 — Individual notification letters begin going out by mail to affected current and former patients. Complimentary credit-monitoring and identity-protection services are offered. The agency stands up a dedicated call center at 877-514-2238 (Monday-Friday, 8 a.m. to 8 p.m. CT).
- December 30, 2025 — Denton County MHMR updates the substitute notice on dentonmhmr.org with the full list of data elements and the credit-monitoring offering.
- January 5, 2026 — Notice of data breach filed with the Texas Attorney General’s Consumer Protection Division. The filing reports 56,872 Texas residents affected.
- January 6, 2026 onward — Multiple plaintiffs’ firms — Strauss Borrelli PLLC, Migliaccio & Rathod LLP, Levi & Korsinsky LLP, Federman & Sherwood, Lynch Carpenter, and Shamis & Gentile P.A. — publicly announce class-action investigations.
What was exposed
Per the December 30, 2025 update to the substitute notice and the Texas AG filing, the data elements potentially exposed vary by individual but include:
- Full name, home address, and date of birth
- Social Security number
- Driver’s license number
- Financial / bank account information
- Patient identification number and medical record number
- Diagnosis, medical history, and medical treatment information
- Medication information
- Lab results
- Treating physician name
- Vaccination information
- Medical insurance information
- Biometric identifiers
Denton County MHMR has stated in its notice that it is “unaware of any misuse of the exposed patient data” as of the December 2025 update. The combination of full identifiers, bank account information, and detailed clinical records makes this a high-severity exposure for any affected individual, and a particularly high-severity exposure for people whose mental-health diagnoses or medications are now outside the agency’s control.
Sensitive-population considerations
The patient population at Denton County MHMR is, by mission, the most legally protected category in U.S. health-information law. Two specific considerations matter here:
Mental-health records carry heightened federal protections. Under the HIPAA Privacy Rule, 45 CFR § 164.508(a)(2) requires a specific, separate written authorization before a covered entity may use or disclose psychotherapy notes for most purposes. Diagnosis codes, medication lists, and treatment plans accessed in this breach are not psychotherapy notes in the strict regulatory sense, but the broader public-policy framework — including state mental-health confidentiality statutes layered on top of HIPAA — reflects a settled legal judgment that mental-health information is qualitatively more sensitive than other PHI. When that information is exfiltrated by an unauthorized third party, the harm is not only the risk of identity theft. It is the loss of control over information that patients chose to share only with their clinician.
The IDD population is structurally less able to self-protect. Denton County MHMR serves a significant population of adults and children with intellectual and developmental disabilities. Many of these patients rely on guardians, family members, or service coordinators to monitor financial accounts and to respond to notification mail. The standard credit-freeze / credit-monitoring response model assumes a patient who can read a letter, log into three credit bureau websites, and authenticate. Guardians and caregivers of IDD patients should expect to do this work on behalf of the patient, and Denton County MHMR’s call center at 877-514-2238 should be the first stop to confirm who is being notified and how.
Practical implication: if you receive mail from Denton County MHMR addressed to a family member with an IDD diagnosis, or if you are a guardian of record, treat the letter as the action item and work through the credit-freeze and monitoring-enrollment steps for the patient.
Substance use disorder records carry their own federal protection layer. Denton County MHMR also provides substance use disorder (SUD) treatment services. SUD records held by a federally assisted program are governed by 42 CFR Part 2, which imposes stricter confidentiality requirements than HIPAA and, as of February 16, 2026, now carries civil enforcement authority parallel to HIPAA. If you received mental-health or SUD treatment from Denton County MHMR and believe your records were among those accessed, you have private-remedy rights under Part 2 that are independent of any HIPAA claim. Consult an attorney familiar with Part 2 enforcement before any settlement offer is evaluated.
Class-action posture
As of early June 2026, no consolidated class action has been filed in the U.S. District Court for the Eastern District of Texas (the federal district covering Denton County) on the public dockets surfaced by the plaintiffs’ firms investigating this matter. Six firms have publicly announced investigations and are soliciting potential class representatives:
- Strauss Borrelli PLLC
- Migliaccio & Rathod LLP
- Levi & Korsinsky, LLP
- Federman & Sherwood
- Lynch Carpenter
- Shamis & Gentile P.A.
The likely theories — based on the firms’ announcements — include negligence, breach of implied contract, breach of fiduciary duty, and violations of the Texas Identity Theft Enforcement and Protection Act. The 11-month gap between intrusion (December 2024) and HHS OCR notification (November 2025) will be a focal point of any complaint, both as a stand-alone notification-rule issue and as evidence going to the broader negligence theory. Denton County MHMR’s status as a quasi-governmental local mental-health authority may surface defenses under the Texas Tort Claims Act that do not apply to most private-sector healthcare defendants; that is a defendant-side fact pattern that has not yet been tested in this case.
This page will be updated when a complaint is filed and a case number issues.
What to do
If you received a notification letter from Denton County MHMR Center, or if you or a family member received mental-health, IDD, or substance-use services from the agency in recent years, treat this as a high-severity exposure and stack defenses.
- Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud. With Social Security numbers and bank account information in the data set, this is the single highest-leverage step.
- Enroll in the credit monitoring offered in your notification letter. Use the enrollment code from the letter; deadlines vary by mailing date.
- Watch your bank accounts and any insurance Explanation of Benefits statements. Financial account information and medical insurance information were both in the data set, which means both account-takeover fraud and medical-identity theft are plausible follow-on harms.
- Request an IRS Identity Protection PIN (IP PIN). Free at irs.gov/ippin. Blocks fraudulent tax filings under your SSN.
- If you are a guardian or family caregiver for an affected patient, call the dedicated line at 877-514-2238 (Monday-Friday, 8 a.m. to 8 p.m. CT) to confirm who is being notified and to walk through the credit-freeze steps on the patient’s behalf.
- Be skeptical of unsolicited phone, email, or text outreach claiming to be from Denton County MHMR or its credit-monitoring vendor. Threat actors routinely follow large breaches with targeted phishing using the leaked identifiers. Denton County MHMR will not ask for your full Social Security number or bank login by phone.
- Document everything. If a class action is filed, evidence of any out-of-pocket losses, time spent on remediation, or downstream identity-theft incidents will matter to a claim.
- Stop the ongoing flow of your mental-health and behavioral-health data. HealthConsent files HIPAA restriction requests so the diagnosis, medication, and treatment records exposed in this breach are not continuously re-shared across insurance networks, health information exchanges, and data brokers that received them downstream.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (108,967 affected, Hacking/IT Incident, Network Server, reported November 5, 2025).
- HIPAA Journal — Denton County MHMR Center Data Breach Affects 109,000 Patients — detailed timeline including the October 10, 2025 investigation-complete date.
- Paubox — Breach at Denton County MHMR Center exposes nearly 109,000 records — independent cross-reference of intrusion window and data elements.
- Community Impact (Denton edition) — Denton County MHMR Center data breach impacts nearly 109K patients — local-press confirmation.
- Strauss Borrelli PLLC — Denton County MHMR Center Data Breach Investigation — class-action investigation; confirms Texas AG filing on January 5, 2026.
- Migliaccio & Rathod LLP — Denton County MHMR Center Data Breach Investigation — class-action investigation.
- Federman & Sherwood — Denton County MHMR Center, a/k/a My Health, My Resources Data Breach — confirms d/b/a name and Texas-resident affected count.
- Healthcare Facilities Today — Denton County MHMR Center Suffers a Data Breach — trade-press confirmation of data elements and investigation completion date (October 10, 2025).
- GlobeNewsWire — Denton County MHMR Center Data Breach Claims Investigated by Lynch Carpenter — confirms Lynch Carpenter investigation and Shamis & Gentile P.A. investigation (January 6, 2026).
- ClaimDepot — Denton County MHMR Center Data Breach Investigation — aggregator confirmation of call center hours (8 a.m. to 8 p.m. CT) and Shamis & Gentile investigation.
One-sentence confirmation: this page synthesizes ten sources, every fact stated above appears in at least two of them, and unsourced detail has been omitted.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Denton County MHMR Center Data Breach Affects 109,000 Patients
- Paubox — Breach at Denton County MHMR Center exposes nearly 109,000 records
- Community Impact (Denton edition) — Denton County MHMR Center data breach impacts nearly 109K patients
- Strauss Borrelli PLLC — Denton County MHMR Center Data Breach Investigation
- Migliaccio & Rathod LLP — Denton County MHMR Center Data Breach Investigation
- Federman & Sherwood — Denton County MHMR Center, a/k/a My Health, My Resources Data Breach
- Healthcare Facilities Today — Denton County MHMR Center Suffers a Data Breach
- GlobeNewsWire — Denton County MHMR Center Data Breach Claims Investigated by Lynch Carpenter
- ClaimDepot — Denton County MHMR Center Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.