Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
Federal Breach Reporting Puts Evoke Wellness Under OCR Scrutiny
Short answer: OCAT, LLC, doing business as Evoke Wellness at Hilliard, an Ohio addiction treatment provider, reported a breach to the HHS Office for Civil Rights (OCR) affecting 1,629 patients. The incident is now under active federal investigation tied to a former employee who allegedly stole and misused patient data. Law enforcement, not Evoke’s own monitoring, surfaced the problem.
Here is what public reporting confirms. Evoke was notified by law enforcement on May 20, 2025 that sensitive data had been stolen from its systems, prompting an internal investigation. The investigation later confirmed unauthorized access to 1,629 patient records, including names, addresses, Social Security numbers, diagnoses, treatment information, lab results, prescriptions, and health insurance details. Local Ohio reporting indicates a former Evoke employee allegedly misused his access to obtain patient information and then sold it on the dark web to others who misused it, with the employee reportedly working at the addiction center between November 2021 and July 2024.
Under the HITECH Breach Notification Rule, HHS requires covered entities to notify the Secretary of breaches of unsecured PHI affecting 500 or more individuals without unreasonable delay and no later than 60 calendar days from discovery. Once reported, OCR posts the entity on its public breach portal (the so-called Wall of Shame) and the listing stays until the investigation closes. Portal placement alone is not a finding of liability. It is the start of a multi-year review that referral partners, payers, and the DEA (in any case involving controlled substances or prescribing records) increasingly track alongside SAMHSA’s expectations under 42 CFR Part 2.
Scope and Nature of the Unauthorized Access Incident
OCR categorized the Evoke incident as unauthorized access or disclosure involving electronic medical record systems, with no business associate listed. That points inside the covered entity, not to a vendor.
The timeline is what operators should study. According to the notification filed with the Maine Attorney General, the insider-wrongdoing incident occurred on July 17, 2024, and OCAT became aware of the unauthorized activity on August 7, 2025. That is roughly 13 months of undetected internal exposure on records that include SUD treatment information. For a federally assisted SUD program subject to SAMHSA’s 42 CFR Part 2, that detection gap is the finding that should keep a CEO up at night, not the headline number of affected individuals.
The data elements at issue carry elevated sensitivity because of stigma, employment exposure, and downstream discrimination risk for patients in substance use treatment. Insider-access incidents rarely reflect a single bad actor in isolation. Executives usually find deeper weaknesses in workforce lifecycle management: delayed termination of credentials, weak role-based access controls, and audit logs nobody actually reads. MSO and platform operators running multiple Ohio, Florida, or Texas sites usually find those failures across the platform, not at one location. Once a regulator (OCR, the Ohio Department of Mental Health and Addiction Services, or the Ohio Attorney General) starts asking, the deficiencies show up everywhere.
Regulatory Exposure and OCR Enforcement Trajectory
OCR enforcement in 2025 makes the trajectory clear. The agency is not satisfied with documenting the specific incident; investigators want enterprise-wide risk analysis and access management. Two recent settlements are instructive for behavioral health operators.
On July 7, 2025, OCR announced a settlement with Deer Oaks, a behavioral health provider serving long-term care and assisted living facilities, requiring Deer Oaks to pay $225,000 and implement a two-year corrective action plan. The corrective action plan requires Deer Oaks to conduct and annually update HIPAA risk analyses, develop a risk management plan, maintain HIPAA-compliant policies and procedures, and provide annual workforce training. Earlier that year, on April 23, 2025, OCR announced a $600,000 settlement with PIH Health following a June 2019 phishing attack that compromised 45 employee email accounts and exposed the ePHI of 189,763 individuals, with the breach not reported to OCR until January 10, 2020, 7 months after the breach occurred.
OCR Director Paula M. Stannard tied the enforcement thesis directly to risk analysis: “Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information.” The Evoke timeline (incident in July 2024, detection in August 2025, OCR portal posting in December 2025, supplemental Maine Attorney General notification in February 2026) draws exactly that kind of scrutiny. State AGs in Ohio, Maine, and other affected jurisdictions can run parallel investigations under their own data breach statutes, and CMS Conditions of Participation and Joint Commission or CARF accreditation reviewers will ask about the incident at the next survey window. Behavioral health providers sit inside the OCR breach pipeline, and they carry the added weight of 42 CFR Part 2 enforced by SAMHSA.
Operational and Workforce Implications for Behavioral Health Providers
Insider-driven breaches are not technical failures. They are operational failures dressed up as IT incidents. What the Evoke pattern tells operators about workforce governance:
- IT and HR teams must revoke credentials immediately. When a clinician or admin leaves on a Friday at 6pm, EMR access ends at 6:01pm. Not Monday morning. Not “when IT gets to it.”
- Compliance officers must review audit logs on a defined cadence. Suspicious access patterns (records pulled outside a clinician’s caseload, after-hours access bursts, downloads of full chart sets) should trigger automatic alerts.
- Privacy officers must enforce role-based access. A discharge planner does not need access to records of patients they are not discharging.
- CEOs must own the cross-functional termination workflow. When HR, IT, and clinical operations sit in separate spreadsheets, the gap is the breach.
OCR has been pricing these failures publicly. As of July 2025, OCR had resolved seventeen investigations with settlements or civil monetary penalties in 2025 alone, collecting more than $7 million in fines, with failure to conduct a risk analysis identified as the most common HIPAA violation of the year. Add to that the cost of the incident itself: IBM’s Cost of a Data Breach Report puts the average healthcare breach at $9.77 million, retaining healthcare’s status as the costliest industry for data breaches for the 14th year in a row. None of those operators got off with a one-time payment. They are all working under multi-year OCR monitoring.
Strategic Lessons for Behavioral Health Executives and Boards
Executives at Evoke are now inside a governance event, not just a compliance event. Boards and CEOs at behavioral health platforms in Ohio, Florida, Texas, and other states we work in should treat OCR investigations as multi-year obligations that touch growth, financing, and payer contracts. The DEA, SAMHSA, CMS, state Medicaid agencies, and accreditors like the Joint Commission and CARF will all read the OCR portal before their next interaction with the provider.
Three things behavioral health CEOs should do this quarter:
- Pull your termination-to-deactivation report from the last 12 months. Measure the gap, in minutes, between separation and EMR deactivation per departed employee. If you cannot produce that report at all, that is your finding.
- Run a true enterprise risk analysis under the HIPAA Security Rule, not a checklist. OCR is settling cases where risk analyses were performed but were not accurate and thorough. OCR concluded Deer Oaks failed to conduct an accurate and thorough risk analysis in violation of the HIPAA Security Rule, and the settlement turned on exactly that finding.
- Stress-test your 60-day breach notification clock. Who decides when the clock starts? Who signs the OCR submission? Who notifies the state AG and, where applicable, the FTC under the Health Breach Notification Rule? If those answers live only in your outside counsel’s head, the clinical leadership team is not ready.
At Atlantic Health Strategies, our team works with behavioral health providers, MSOs, and platform organizations on exactly these workflows: workforce access governance, breach response readiness, and enterprise risk analysis built to survive an OCR or state AG investigation rather than pass a checklist audit. CEOs who treat HIPAA and 42 CFR Part 2 as living operational disciplines are the ones still building census, closing acquisitions, and protecting payer relationships after a regulator comes knocking.
Frequently asked questions
How many patients were affected by the Evoke Wellness at Hilliard data breach?
Evoke Wellness at Hilliard (OCAT, LLC) reported the incident to HHS OCR in December 2025 as affecting 1,629 patients. A separate, narrower submission to the Maine Attorney General in February 2026 referenced 261 individuals in connection with the underlying insider-wrongdoing incident, which has created some confusion in public reporting. Per the notice submitted to Maine, the insider-wrongdoing incident reportedly occurred on July 17, 2024 and OCAT became aware of the unauthorized activity on August 7, 2025.
What triggers an OCR breach portal posting and how long does the investigation last?
Under the HITECH Breach Notification Rule and 45 CFR 164.408, any HIPAA breach of unsecured PHI affecting 500 or more individuals must be reported to the HHS Secretary without unreasonable delay and no later than 60 calendar days from discovery. OCR opens a compliance review of every such breach. Investigations commonly take 18 months to several years and frequently end in a settlement with a multi-year corrective action plan, as seen in the 2025 OCR resolutions with Deer Oaks ($225,000, two-year CAP) and PIH Health ($600,000, two-year CAP).
Why are insider-access breaches especially dangerous for behavioral health and SUD providers?
Behavioral health records sit under both HIPAA (enforced by HHS OCR) and, for federally assisted SUD programs, 42 CFR Part 2 (overseen by SAMHSA), which imposes stricter confidentiality and re-disclosure rules. When an insider misuses access, the entity is typically exposed on multiple fronts at once: HIPAA breach notification obligations, Part 2 patient confidentiality protections, state attorney general notification statutes, and accreditor follow-up from the Joint Commission or CARF at the next survey. OCR’s 2025 enforcement pattern shows the agency is focused on access management failures and on whether the entity’s risk analysis was accurate and thorough. IBM pegs the average healthcare breach cost at $9.77 million.
What should a behavioral health CEO do in the first 72 hours after discovering a possible insider breach?
Preserve audit logs immediately and confirm chain of custody. Suspend the relevant credentials and document the suspension time. Engage breach counsel before sending any external communications. Begin scoping the affected patient population and the data elements involved, because the 60-day notification clock to OCR starts at discovery. Notify your cyber insurance carrier and your board within the first business day. Do not submit to OCR, state AGs, or (where applicable) the FTC under the Health Breach Notification Rule until counsel has confirmed scope; rushed, incomplete submissions create amended-report problems that themselves become findings.
References
- HHS OCR Press Release: Deer Oaks HIPAA Settlement (July 7, 2025)
- HHS OCR Press Release: PIH Health Phishing Settlement (April 23, 2025)
- HIPAA Journal: Former Evoke Wellness Employee Obtained and Misused Patient Data
- DataBreaches.net: Evoke Wellness at Hilliard Updates Its Breach Notification
- Cybernews: Evoke Wellness Employee Stole Patients’ Identities
- TechTarget: Average Cost of a Healthcare Data Breach Sits at $9.77M (IBM 2024 Report)
- HIPAA Journal: Phishing Attack and Late Breach Notifications Lead to $600K HIPAA Fine for PIH Health
- HIPAA Guide: Deer Oaks Pays $225,000 Fine to Resolve HIPAA Investigation