EVOKE Wellness at Hilliard is in the spotlight again after external counsel for OCAT, LLC dba Evoke submitted a breach notification to the Maine Attorney General’s Office, claiming the incident was discovered on 7 August 2025 and potentially affected 261 people, with the breach allegedly tied to activity that began on 7 July 2024.
The letter says Evoke learned of unauthorized activity on 7 August 2025 and that a subsequent investigation found patient information may have been accessed without authorisation, though the exact scope remains unclear. DataBreaches[.]net notes inconsistencies between the notification, the form it was based on, and prior reporting, including a June 2025 awareness of an insider-wrongdoing incident and a December 2025 update to the HHS stating 1,629 patients affected.
That earlier incident involved a former Evoke employee who allegedly sold patient data on the dark web, with authorities reporting the breach as identified in October 2024 and initially numbering 240 victims. The FTC settlement with Evoke in June 2025, requiring payments and advertising reforms, is also cited by DataBreaches as context for the ongoing questions.