OCAT, LLC, doing business as Evoke Wellness at Hilliard, recently notified the Maine Attorney General regarding a data breach involving 261 individuals. The disclosure reveals a significant gap between the reported July 2024 insider-wrongdoing incident and its eventual discovery in August 2025.

On February 27, external legal counsel for the Ohio-based addiction treatment center filed a formal breach notification. The documents indicate that the facility first became aware of unauthorized network activity on August 7, 2025. Following this discovery, the organization launched an investigation to assess the scope of the intrusion and determine which patient records had been compromised.

The investigation confirmed that specific patient information was likely accessed without authorization during the event. Consequently, the facility began the process of notifying all individuals whose personal data was impacted. While the notification letter to patients focuses on the discovery date, the official filing with the state of Maine identifies the original incident date as July 7, 2024.

There is a notable lack of clarity regarding the timeline presented by the treatment center. The submitted materials do not explain why it took over a year to identify a breach that originated in the summer of 2024. Furthermore, the documents fail to reconcile how unauthorized network activity detected in late 2025 was linked back to an incident involving internal misconduct from the previous year.

The filing specifically categorizes the event as an insider-wrongdoing incident, a detail that was omitted from the general letter sent to affected patients. This discrepancy between the public-facing explanation and the regulatory filing adds a layer of complexity to the reporting. The data shows that a relatively small group of 261 people were affected, yet the nature of the delay remains the most prominent unanswered question.

External observers have pointed out inconsistencies in the timeline, noting that awareness of the insider-wrongdoing incident existed as early as June 2025. This raises further questions about the official discovery date of August 7, 2025, cited in the notification. Without further explanation from the facility, the sequence of events leading from the July 2024 incident to the 2025 reporting remains largely ambiguous.

Source: Evoke Wellness At Hilliard Updates Data Breach Notification Details