Metrocare Services, a major mental health service provider in Dallas County, experienced an unauthorized data exposure incident affecting nearly 8,600 clients. On September 9, an employee sent an encrypted email containing protected health information (PHI) including full names, medical record numbers, appointment details, doctor names, and service costs from their work account to their personal email, which was later shared on an unauthorized network. While Metrocare confirmed the email was deleted from both the inbox and trash folders, there was no evidence of misuse beyond the unauthorized access by the employee. The breach involved sensitive mental health and developmental disability records, posing risks of privacy violations and potential reputational harm. As the largest provider in the county, serving over 50,000 individuals annually, the incident highlights vulnerabilities in internal data handling, particularly concerning employee-driven leaks of confidential client information.
Source: https://www.nbcdfw.com/news/local/metrocare-services-protected-health-information-shared/3948945/
Metrocare Services cybersecurity rating report: https://www.rankiteo.com/company/metrocare-services
"id": "MET1493814112525",
"linkid": "metrocare-services",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '8,600',
'industry': 'Healthcare (Mental Health, Developmental '
'Disability, and Supported Housing '
'Services)',
'location': 'Dallas County, Texas, USA',
'name': 'Metrocare Services',
'size': 'Large (serves over 50,000 clients annually)',
'type': 'Non-profit Organization'}],
'attack_vector': 'Insider Threat (Accidental/Intentional Misuse)',
'customer_advisories': 'Public notification via media; no direct advisory '
'mentioned',
'data_breach': {'data_encryption': 'Yes (email was encrypted)',
'data_exfiltration': 'Yes (shared on unauthorized network)',
'file_types_exposed': 'Email (containing structured client '
'data)',
'number_of_records_exposed': '8,600',
'personally_identifiable_information': 'Yes (names, medical '
'record numbers, '
'appointment details)',
'sensitivity_of_data': 'High (healthcare-related PHI)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)',
'Personally Identifiable '
'Information (PII)']},
'description': 'Metrocare Services, one of Dallas County’s largest mental '
'health service providers, reported that the protected health '
'information (PHI) of nearly 8,600 clients was shared without '
'authorization. The incident began on September 9 when an '
'employee sent an encrypted email from their work account to '
'their personal email, which was later shared on an '
'unauthorized network. The email contained client details such '
"as names, medical record numbers, appointment times, doctors' "
'names, and service costs. Metrocare investigated the '
'incident, ensured the email was deleted, and found no '
'evidence of misuse beyond the authorized individual.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'unauthorized PHI disclosure',
'data_compromised': ['First and last names',
'Medical record numbers',
'Appointment times',
"Doctors' names",
'Dates, durations, and costs of services'],
'identity_theft_risk': 'Low (no evidence of misuse; data limited '
'to PHI without financial identifiers)',
'legal_liabilities': 'Possible HIPAA violations (not explicitly '
'confirmed)'},
'investigation_status': 'Completed (no evidence of further misuse)',
'motivation': 'Unintentional (Likely accidental or negligent)',
'post_incident_analysis': {'root_causes': ['Employee misuse of work email '
'(sent to personal account)',
'Lack of controls to prevent '
'unauthorized sharing of encrypted '
'emails',
'Possible insufficient training on '
'PHI handling']},
'references': [{'source': 'NBC 5 DFW', 'url': 'https://www.nbcdfw.com'}],
'regulatory_compliance': {'regulations_violated': 'Potential HIPAA violation '
'(unauthorized PHI '
'disclosure)'},
'response': {'communication_strategy': 'Public disclosure via media (NBC 5 '
'DFW)',
'containment_measures': ['Email deleted from inbox and trash '
'folders of the personal account',
'Employee cooperation to remove '
'unauthorized data'],
'incident_response_plan_activated': 'Yes (investigation '
'conducted)'},
'threat_actor': 'Internal (Employee)',
'title': 'Unauthorized Sharing of Protected Health Information at Metrocare '
'Services',
'type': 'Data Breach / Unauthorized Disclosure',
'vulnerability_exploited': 'Human Error / Policy Violation (Email '
'Mismanagement)'}