Full Report
On February 27, external counsel for OCAT, LLC dba Evoke Wellness at Hilliard (“Evoke”), submitted a breach notification to the Maine Attorney General’s Office. The sample notification letter submitted with it claims that the Ohio addiction treatment center learned of an incident on August 7, 2025: On August 7, 2025, OCAT became aware of unauthorized... Source
Analysis Summary
# Incident Report: Insider Data Theft and Sale at Evoke Wellness
## Executive Summary
Evoke Wellness at Hilliard (OCAT, LLC) experienced a prolonged data breach involving a former employee who abused their authorized access to steal sensitive patient files. The stolen data, which included highly sensitive medical and personally identifiable information (PII), was reportedly sold on the dark web and used for identity theft and forgery. The breach was not discovered by the organization internally but through a police traffic stop of the suspect and subsequent law enforcement notification.
## Incident Details
- **Discovery Date:** May 20, 2025 (via Law Enforcement notification)
- **Incident Date:** July 7, 2024 (Primary incident date cited; activity occurred 2021–2024)
- **Affected Organization:** OCAT, LLC dba Evoke Wellness at Hilliard
- **Sector:** Healthcare (Addiction Treatment)
- **Geography:** Ohio, USA
## Timeline of Events
### Initial Access
- **Date/Time:** November 2021 – July 2024
- **Vector:** Insider Threat (Authorized Employee Access)
- **Details:** An employee at the treatment center used their legitimate credentials to access patient records exceeding their business need.
### Lateral Movement
- **Details:** As an authorized user, the individual moved through the patient management systems to collect data; no traditional network "pivoting" was reported as the access was credential-based.
### Data Exfiltration/Impact
- **Details:** The employee physically or digitally removed patient records. On **October 10, 2024**, police discovered suspicious documents in the suspect’s vehicle. Investigation revealed the data was being sold on the dark web.
### Detection & Response
- **May 20, 2025:** Law enforcement officially notified Evoke Wellness of the breach.
- **June 9, 2025:** Local news (10TV) publicly reported the investigation.
- **July 17, 2025:** Initial patient notifications sent.
- **August 7, 2025:** Date organization claims they became "aware of unauthorized activity" in later filings.
- **September 26, 2025:** Amended notifications sent to patients.
- **February 27, 2026:** Final breach notification submitted to the Maine Attorney General.
## Attack Methodology
- **Initial Access:** Valid accounts (Insider)
- **Persistence:** Long-term employment (2021–2024)
- **Privilege Escalation:** Abuse of existing authorized privileges
- **Defense Evasion:** Activity blended with legitimate daily work tasks
- **Collection:** Automated or manual export of electronic health records (EHR)
- **Exfiltration:** Physical removal of documents and likely digital transfer to dark web marketplaces
- **Impact:** Financial fraud, identity theft, and forgery involving patient identities
## Impact Assessment
- **Financial:** Costs associated with 12+ months of credit monitoring for victims; potential HIPAA fines.
- **Data Breach:** Compromise of Name, SSN, DOB, Driver’s License, Passport #, Medical Diagnoses (sobriety dates, lab results), and Payment Card Info.
- **Operational:** Management of legal investigations and regulatory filings across multiple states.
- **Reputational:** High impact due to the vulnerability of the patient population (addiction recovery) and the delay in discovery/notification.
## Indicators of Compromise
- **Behavioral indicators:** Employee accessing patient records outside of their assigned caseload or during unusual hours; possession of hard-copy patient files in a personal vehicle.
## Response Actions
- **Containment:** Termination of the employee (occurred July 2024, prior to breach discovery).
- **Eradication:** Cooperation with law enforcement regarding the criminal pursuit of the former employee.
- **Recovery:** Offering complimentary credit monitoring and identity protection services to affected individuals.
## Lessons Learned
- **Monitoring Gap:** The organization failed to detect large-scale data misappropriation by an insider for nearly three years.
- **External Dependency:** Discovery relied entirely on a chance traffic stop by police rather than internal Data Loss Prevention (DLP) or Audit Log monitoring.
- **Reporting Discrepancies:** Contradictory dates in regulatory filings suggest a lack of coordination between legal counsel and technical forensic teams.
## Recommendations
- **Implement UEBA:** Deploy User and Entity Behavior Analytics to flag unusual patterns in patient record access.
- **Strict Access Control:** Enforce the Principle of Least Privilege (PoLP) to ensure employees only access records for patients currently under their care.
- **Enhanced Auditing:** Regularly review access logs for high-risk data exports or bulk views of sensitive PII/PHI.
- **DLP Solutions:** Implement Data Loss Prevention tools to prevent the printing or unauthorized digital transfer of sensitive files.