Evoke Wellness Data Breach: Confusion Over Timeline, Scope, and Insider Threat
On February 27, 2026, Evoke Wellness at Hilliard a Ohio-based addiction treatment center filed a breach notification with the Maine Attorney General’s Office, reporting unauthorized access to patient data affecting 261 individuals. The incident, which allegedly occurred on July 7, 2024, was only discovered by the organization on August 7, 2025, according to the filing. However, the notification raised questions about the timeline and nature of the breach, as it failed to clarify whether this was a new incident or an update to a previously disclosed insider-wrongdoing case.
The confusion stems from earlier reports in June 2025, when 10TV News revealed that a former Evoke employee had been accused of misusing access to patient records between November 2021 and July 2024. The employee allegedly sold sensitive data on the dark web or used it for fraud, with authorities discovering evidence during a traffic stop on October 10, 2024. At the time, 240 victims were identified, though investigators suspected more. Evoke was first notified of the breach by law enforcement on May 20, 2025, and later issued patient notifications on July 17 and September 26, 2025, acknowledging that the breach involved highly sensitive data, including Social Security numbers, medical records, insurance details, and payment card information.
The December 2025 filing with the U.S. Department of Health and Human Services (HHS) reported 1,629 affected patients, a figure that remains unupdated. Yet the recent Maine notification submitted nearly a year after the initial discovery claimed only 261 individuals were impacted, with no mention of the insider threat or dark web involvement. The discrepancy has left cybersecurity observers questioning whether this was a separate incident or an incomplete update to the earlier breach.
Adding to the scrutiny, Evoke had recently settled a $1.9 million Federal Trade Commission (FTC) case in July 2025 over deceptive advertising practices, including impersonating rival treatment centers in Google ads. The settlement required compliance with stricter transparency measures, though the organization did not admit wrongdoing. As of the latest filing, Evoke has not provided further clarification on the conflicting breach reports.
Source: https://databreaches.net/2026/03/02/evoke-wellness-at-hilliard-updates-its-breach-notification/
Evoke Wellness cybersecurity rating report: https://www.rankiteo.com/company/evokewellness
"id": "EVO1772490245",
"linkid": "evokewellness",
"type": "Breach",
"date": "7/2024",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ['261 (Maine AG filing)',
'1,629 (HHS filing)',
'240 (initial reports)'],
'industry': 'Healthcare',
'location': 'Hilliard, Ohio, USA',
'name': 'Evoke Wellness at Hilliard',
'type': 'Addiction Treatment Center'}],
'attack_vector': 'Insider Access Misuse',
'customer_advisories': 'Patient notifications issued on July 17 and September '
'26, 2025',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': ['261', '1,629', '240'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Social Security numbers',
'Medical records',
'Insurance details',
'Payment card information']},
'date_detected': '2025-08-07',
'date_publicly_disclosed': '2025-07-17',
'description': 'Evoke Wellness at Hilliard, an Ohio-based addiction treatment '
'center, reported unauthorized access to patient data '
'affecting 261 individuals. The incident involved an insider '
'threat where a former employee allegedly misused access to '
'patient records between November 2021 and July 2024, selling '
'sensitive data on the dark web or using it for fraud. The '
'breach was discovered in August 2025, with conflicting '
'reports on the number of affected individuals and the '
'timeline of events.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'legal_liabilities': True,
'payment_information_risk': True},
'initial_access_broker': {'data_sold_on_dark_web': True},
'investigation_status': 'Ongoing',
'motivation': ['Financial Gain', 'Fraud'],
'post_incident_analysis': {'root_causes': 'Insider threat, unauthorized '
'access by former employee'},
'references': [{'source': 'Maine Attorney General’s Office'},
{'source': '10TV News'},
{'source': 'U.S. Department of Health and Human Services '
'(HHS)'}],
'regulatory_compliance': {'legal_actions': ['FTC settlement for $1.9 million '
'(July 2025)'],
'regulations_violated': ['HIPAA'],
'regulatory_notifications': ['Maine Attorney '
"General's Office",
'U.S. Department of '
'Health and Human '
'Services (HHS)']},
'response': {'communication_strategy': 'Patient notifications issued on July '
'17 and September 26, 2025',
'law_enforcement_notified': True},
'threat_actor': 'Former Employee',
'title': 'Evoke Wellness Data Breach: Confusion Over Timeline, Scope, and '
'Insider Threat',
'type': ['Data Breach', 'Insider Threat'],
'vulnerability_exploited': 'Unauthorized Access by Employee'}