On February 27, external counsel for OCAT, LLC dba Evoke Wellness at Hilliard (“Evoke”), submitted a breach notification to the Maine Attorney General’s Office. The sample notification letter submitted with it claims that the Ohio addiction treatment center learned of an incident on August 7, 2025:
On August 7, 2025, OCAT became aware of unauthorized activity within its network. Upon discovery of this incident, OCAT promptly initiated an investigation to determine the cause and scope of the unauthorized activity. The investigation found that certain patient information may have been accessed without authorization. Based on these findings, OCAT is notifying all patients whose information was impacted by the incident.
The submission to Maine claimed that a total of 261 people were affected by the incident that reportedly occurred on July 7, 2024.
The letter did not explain why it took from July 7, 2024, to August 7, 2025, to discover a breach. Nor did it explain why unauthorized activity in the network was detected on August 7, 2025, stemming from an insider-wrongdoing incident that occurred by July 2024.
DataBreaches notes that the letter didn’t state it was an insider-wrongdoing incident that occurred on July 7, 2024, but the submission form itself provided that information, as illustrated below:
Evoke Wellness at Hilliard’s submission by their external counsel to the Maine Attorney General’s Office. Image: DataBreaches.net
None of this made any sense to DataBreaches, who had been aware of the insider-wrongdoing incident in June, 2025.
That Was Then
On June 9, 2025, 10TV News reported that authorities were investigating a fraud and identity theft case involving a former Evoke employee. The employee allegedly misused his access as an employee to obtain patient information, which he then sold on the dark web to others who misused it, or misused it himself.
The unnamed employee reportedly worked at the addiction treatment center between November 2021 and July 2024. According to 10TV, the breach was discovered on October 10, 2024, when police found suspicious documents in the former employee’s car during a traffic stop.
At the time, 240 victims had been identified, but authorities suspected that there might be more. DataBreaches contacted Evoke on June 10, 2025, with questions about the incident, but received no reply.
On July 17, Evoke notified patients of the incident, subsequently providing an amended notification on September 26, 2025. The amended notification made clear that Evoke had not discovered the breach on its own:
We are writing further to our letter dated July 17, 2025. As you know, Evoke Wellness at Hilliard was advised by law enforcement on May 20, 2025, that information from our system was discovered in the possession of an unauthorized individual. Below, please find additional information as to the incident as well as information to protect your personal information, including instructions on how to enroll in complimentary credit monitoring and identity protection services.
What Information Was Involved
Based upon the results of our investigation, it was determined the elements of your personal information that were potentially accessed in an unauthorized manner may have included, and potentially were not limited to, your: name, physical address, email address, phone number, date of birth, Social Security Number, driver’s license/state id number, passport number, medical record number, admission dates, discharge dates, medical diagnosis information (ie. discharge type, sobriety date, allergies), pharmacy name, medication information, lab results, health insurance information, payment card information, photograph, marital status, employer, race/ethnicity, and handwritten/E-Signature. While law enforcement has shared limited details with Evoke Wellness at Hilliard as to the incident, we understand that the criminal charges filed against the suspect who
potentially accessed Evoke Wellness at Hilliard information in an unauthorized manner include but are not limited to counterfeiting, forgery and identity theft.
On December 18, 2025, Evoke reported the incident to HHS as affecting 1,629 patients. That number has not been updated.
This Was Now
Now, two months later, Evoke claimed they became aware of abnormal network activity on August 7, 2025, from an insider-wrongdoing incident on July 7, 2024, and that the incident affected a total of 261 people?
DataBreaches was confused. The letter said nothing about insider wrongdoing. It said nothing about data being sold on the dark web. It said nothing about a breach that occurred on and before July 2024. Was this an unrelated breach or an update on the previously known breach? Why weren’t those being notified being given a fuller picture of what happened if this was the earlier incident?
While it is tempting to be charitable and assume there is an innocent explanation for the omissions and confusing notification, DataBreaches notes that although their external counsel received and read this site’s email requesting clarification, there has been no reply explaining the confusing reports.
DataBreaches is also aware that in June 2025, the Federal Trade Commission settled charges against Evoke for using Google ads and impersonating other addiction treatment centers. Without admitting any wrongdoing, Evoke agreed to pay $1.9 million (with the remainder of a $7 million penalty suspended based on compliance). They also have to comply with the terms of the settlement that address honesty in advertising their services. The court signed the stipulated settlement agreement on July 14, 2025.
DataBreaches hopes that Evoke will provide answers to the questions emailed to their external counsel.
