Data Breaches Announced by Heritage Communities & Metrocare Services
The senior living company Heritage Communities and the Dallas mental health care company Metrocare Services have announced security incidents that exposed sensitive patient data.
Heritage Communities, Nebraska
Heritage Communities, a senior living company based in Omaha, Nebraska, has recently announced a breach of the personal and protected health information of current and former residents. The data breach affected the company Heritage Holdings LP, a business associate of Heritage Communities, Orchard Pointe, and OnCare Health. On or around September 16, 2025, a network intrusion was identified, and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor gained access to its network and a limited amount of protected health information. The forensic investigation could not rule out the possibility that sensitive data was exfiltrated from its network.
The review of the affected data confirmed that a range of data types were exposed, including first and last names, Social Security numbers, driver’s license numbers, bank account information, credit card information, dates of birth, addresses, phone numbers, email addresses, medication information, healthcare diagnosis information, test results, and healthcare provider information. The types of information involved varied from individual to individual.
Additional security measures have been implemented in response to the data breach, and data security policies and procedures are being reviewed. While no misuse of the affected data has been identified, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The Worldleaks threat group claimed responsibility for the attack and added Heritage Communities to its dark web data leak site. If the claim is genuine, it suggests that a ransom demand was issued that was not paid.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Metrocare Services, Texas
Metrocare Services, a Dallas, TX-based provider of mental health services to individuals in North Texas, has identified an impermissible disclosure of patient information. On September 9, 2025, an employee sent an encrypted email from their work account to a personal email account, and the email was later shared on an unauthorized network. The investigation confirmed that the encrypted email contained the protected health information of approximately 8,600 patients, including names, medical record numbers, appointment times, doctors’ names, dates of service, and duration and costs of service.
Metrocare Services said it worked with the employee to ensure that the email was deleted from their personal email account, including the trash folder, and said no evidence was found to indicate that the data was further shared or was accessed by anyone other than the employee who was authorized to access the information.
