Data Breach at Texas Mental Health Center Exposes Sensitive Information of 109,000 Patients
A Texas mental health provider has disclosed a significant data breach affecting more than 108,000 individuals, with cybercriminals gaining access to highly sensitive personal and medical information during the 2024 holiday season. The incident, reported to federal health authorities in November 2025, represents one of the most severe breaches in the U.S. mental healthcare sector this year.
The Denton County MHMR Center discovered unauthorized access to its systems last December, with the breach occurring over a two-day period when many organizations operate with reduced staffing. The compromised data includes names, Social Security numbers, bank account information, and detailed diagnosis and treatment records—information that could expose vulnerable patients to identity theft, financial fraud, and privacy violations.
Background and Context
The breach highlights ongoing cybersecurity challenges facing healthcare providers, particularly mental health facilities that maintain especially sensitive patient records. According to federal data, healthcare breaches have increased significantly in recent years, with mental health providers becoming increasingly attractive targets due to the comprehensive nature of their records. The Denton center, which provides mental health and intellectual disability services to North Texas residents, handles some of the most sensitive personal information in the healthcare ecosystem.
Key Figures and Entities
The Denton County MHMR Center, a publicly funded mental health provider serving approximately 15,000 residents annually, confirmed the breach in a public notice posted February 21, 2025. While the organization has not released specific details about the attackers, federal breach reports indicate the incident was classified as a hacking/IT incident. The center has established a dedicated call center at 877-514-2238 for affected individuals seeking assistance.
Legal and Financial Mechanisms
Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers must notify affected individuals following breaches of unsecured protected health information. The center has mailed notifications to all 108,967 impacted individuals and recommended specific protective measures, including credit freezes and fraud alerts. The combination of financial information (bank account details) with health records creates compounded risks for victims, as medical identity theft can be particularly difficult to detect and resolve.
International Implications and Policy Response
While this breach occurred at a local Texas provider, it reflects broader national challenges in securing healthcare infrastructure. Federal regulators have increasingly emphasized healthcare cybersecurity following warnings from intelligence agencies about targeted attacks on medical facilities. The incident underscores the need for enhanced security protocols across the healthcare sector, particularly for organizations serving vulnerable populations whose data could be exploited for extortion or discrimination.
Sources
This report draws on the U.S. Department of Health and Human Services breach database, Denton County MHMR Center's official public notice, HIPAA breach notification requirements, and federal cybersecurity guidance for healthcare providers. Information was also obtained from HHS breach reporting statistics and the Department of Homeland Security's cybersecurity alerts for the healthcare sector.
