Active breach tracker Dallas, TX Disclosed March 6, 2026

North Texas Behavioral Health Authority Data Breach 2026: 285,086 Mental Health Records Exposed Across Six Counties. What Was Stolen and What To Do

The North Texas Behavioral Health Authority disclosed in March 2026 a network intrusion that exposed names, Social Security numbers, driver's license numbers, and mental-health treatment information for 285,086 people across Dallas, Ellis, Hunt, Kaufman, Navarro, and Rockwall counties. If you received care from NTBHA or any provider in its network, here is what was taken and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 13, 2025

Unauthorized access began

Oct 15, 2025

NTBHA detected unauthorized activity

Jan 7, 2026

Forensic review confirms PHI involvement

Mar 6, 2026

Notification letters mailed; HHS OCR filing

Mar 9, 2026

Texas Attorney General filing

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

03

Contact & insurance

Phishing + targeted scams

Full name Home address Medical information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Migliaccio & Rathod (publicly investigating) Schubert Jonckheer & Kolbe (publicly investigating) Markovits, Stock & DeMarco (publicly investigating) Milberg PLLC (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The North Texas Behavioral Health Authority is the state-designated Local Behavioral Health Authority for Dallas, Ellis, Hunt, Kaufman, Navarro, and Rockwall counties. It contracts with and oversees community mental-health providers across the southeast and east half of the Dallas-Fort Worth metroplex (and the rural rim around it). NTBHA operates the 24/7 regional crisis hotline (866-260-8000), coordinates mobile crisis outreach, runs residential treatment referrals, and contracts a network of outpatient mental-health and substance-use providers under Texas Health and Human Services oversight.

On October 15, 2025, NTBHA detected unauthorized third-party activity inside its network. Forensic investigation determined that the access window ran from October 13 to October 15, 2025, and that the intruder had viewed or potentially exfiltrated files containing patient information.

The forensic review concluded on January 7, 2026 that the affected files contained personally identifiable information and protected health information. NTBHA mailed notification letters and filed with the US Department of Health and Human Services Office for Civil Rights on March 6, 2026, and filed with the Texas Attorney General three days later. The filings confirmed 285,086 affected individuals.

The roughly 143-day gap between detection (October 15) and notification (March 6) has been flagged in industry coverage as potentially exceeding the HIPAA Breach Notification Rule’s 60-day clock and Texas Business and Commerce Code § 521.053. NTBHA’s position is that the time was needed to identify which records were affected.

No ransomware group has publicly claimed responsibility for the intrusion. No data tied specifically to NTBHA has been observed on dark-web leak sites.

What was stolen

The notification letter confirms that exposed data may have included:

  • Full name
  • Home address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Medical information
  • Health insurance information

Because NTBHA is a behavioral health authority, the “medical information” category here is unusually sensitive. The data plausibly includes mental-health diagnoses, behavioral-health treatment histories, and in some cases substance-use disorder treatment records protected under 42 CFR Part 2 (the federal substance-use confidentiality rule, which is stricter than HIPAA in several respects). NTBHA’s public substitute notice does not specify whether Part 2 records were in scope.

The combination of full SSN, driver’s license, date of birth, and address is a complete identity-verification kit for someone seeking to commit identity theft or medical identity theft. The mental-health-context layer on top makes this breach especially serious for stigma-sensitive uses (employment background checks, custody disputes, insurance underwriting).

Who is affected

If you, a family member, or someone you support received behavioral health services through NTBHA or its contracted providers between roughly 2018 and 2025 — including crisis line calls, mobile crisis outreach, residential treatment placement, outpatient psychotherapy through an NTBHA-contracted clinic, or substance-use disorder treatment — your record may be in the affected dataset.

NTBHA’s service area covers the eastern half of the DFW metroplex. Specific counties:

  • Dallas County (primary urban service area)
  • Ellis County
  • Hunt County
  • Kaufman County
  • Navarro County
  • Rockwall County

Many NTBHA-served patients see services through contracted community providers and may not realize NTBHA is the data-holding entity. Watch your mail for a notification letter from NTBHA, not just from your specific clinic.

What NTBHA is offering

NTBHA’s notice references complimentary credit monitoring and identity-theft protection services for individuals whose Social Security number was exposed. The vendor and duration are not specified in the public substitute notice, which is unusual and means you will need to read the mailed letter carefully for enrollment details.

  • NTBHA dedicated response line: 1-833-289-1629 (Monday to Friday, 8 a.m. to 8 p.m. Eastern, for 90 days from notification)

What to do if you received a notification letter

This week:

  1. Activate any credit monitoring offered in your letter.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. With full SSN + driver’s license + DOB exposed, this is essential.
  3. File IRS Form 14039 so a fraudulent return cannot be filed under your SSN.
  4. Review your Explanation of Benefits statements for unfamiliar mental health or substance-use treatment claims.
  5. If you have a Texas Driver’s License, monitor for fraudulent license-renewal or identity-substitution attempts. Driver’s license numbers are commonly used by fraudsters to open accounts that ask for a state ID rather than SSN.

This month:

  1. Stop the ongoing flow of your behavioral health data. HealthConsent files HIPAA restriction requests, 42 CFR Part 2 redisclosure restrictions, and state-law deletion requests so the mental health and substance-use treatment information exposed in this breach is not continuously re-shared with employers, insurers, or other entities downstream.
  2. Exercise your Texas Medical Records Privacy Act rights (Tex. Health & Safety Code Chapter 181), which provides additional protections beyond HIPAA for Texas residents.

Frequently asked questions

How do I know if I am affected?

NTBHA is mailing notification letters directly to affected individuals. If you received care from NTBHA or any of its contracted community providers between 2018 and 2025 in any of the six counties, you may be affected. If you have not received a letter, call NTBHA’s response line (833-289-1629) to confirm.

Are mental-health treatment records in the dataset?

NTBHA’s public notice describes “medical information” without specifying which categories of behavioral-health records were affected. Given that NTBHA’s entire mission is behavioral health, mental-health diagnoses, treatment plans, and case notes are plausibly in scope. The notice does not explicitly confirm whether 42 CFR Part 2 substance-use records were included.

Why did it take 143 days to notify?

NTBHA’s position is that forensic review needed to determine which individuals were affected and which records were in the compromised files. The plaintiffs’ firms now investigating have flagged the timeline as potentially exceeding the HIPAA 60-day rule.

Should I sue?

Four plaintiffs’ firms have publicly announced investigations (Migliaccio & Rathod, Schubert Jonckheer & Kolbe, Markovits Stock & DeMarco, Milberg PLLC), but no class action complaint has been filed as of mid-May 2026. NTBHA is a Texas governmental authority, which raises sovereign-immunity questions that complicate but do not automatically bar civil claims. We are not a law firm and cannot give legal advice.

Is HealthConsent affiliated with NTBHA?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.