Metrocare Services, one of Dallas County's largest mental-health providers, says nearly 8,600 clients may have had protected health information shared without authorization after an employee forwarded an encrypted work email from a job account to a personal inbox on Sept. 9. The message later appeared on an unauthorized network, according to the agency, which also says it has found no evidence that anyone has misused the data. The file listed client names, medical record numbers, appointment times, clinicians, and billing details, potentially exposing highly sensitive treatment information for thousands of local patients.
What Metrocare says
As reported by NBC 5, Metrocare said the incident started when an employee sent an encrypted email from a Metrocare account to a personal email address on Sept. 9, and that the message was later discovered on an unauthorized network. According to the agency, the email contained the client's first and last names, medical record numbers, appointment times, clinicians' names, and the dates, durations, and costs of services. Metrocare said it “thoroughly investigated” what happened and removed the message from the employee's inbox and trash folders as part of that review.
Timeline and scope
KERA reported that Metrocare launched an internal investigation in October after learning the encrypted message had been shared, and that roughly 8,500 to 8,600 clients were affected. The outlet also notes that Metrocare serves more than 50,000 children, teens, and adults each year, making it Dallas County's largest provider of mental-health and developmental-disability services.
A pattern of email disclosures
This is not Metrocare's first email-related disclosure. In April, the agency reported a separate unauthorized sharing incident that affected 553 clients after staff sent encrypted messages outside the Metrocare network, according to a Metrocare press release. In that earlier notice, the organization said it worked with other providers to remove improperly shared files and stated that it found no evidence that the information had been misused.
Legal duties and what to expect
Federal HIPAA rules require covered entities to notify the U.S. Department of Health and Human Services and affected individuals when unsecured protected health information is disclosed for 500 or more people, and to notify local media in many cases. Those notices must go out without unreasonable delay and generally within 60 days, according to the U.S. Department of Health and Human Services. The HHS guidance also spells out what has to be included in individual notices and stresses that covered entities should document their investigations and mitigation steps, including any training or policy changes they adopt in response.
Next steps for clients
NBC 5 reports that Metrocare said it has a process in place for privacy inquiries and will continue training staff on best practices as part of its response to the breach. Affected clients should watch for mailed or emailed breach-notification letters explaining what was exposed and providing a contact phone number. They are also advised to monitor account statements and credit reports for suspicious activity. People with questions can contact Metrocare through the agency's public records and privacy channels.
