25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Former Evoke Wellness Employee Obtained and Misused Patient Data

Posted By on Dec 19, 2025

A former employee of Evoke Wellness at Hilliard has stolen and misused patient data, Conifer Value-Based Care has experienced an email account breach, and patient data was potentially stolen in a break-in at a Heart of Texas Behavioral Health Network facility.

Evoke Wellness at Hilliard

OCAT, LLC dba Evoke Wellness at Hilliard, a provider of behavioral health services, has reported a data breach affecting patients of its Hilliard, Ohio facility. Evoke Wellness at Hilliard was notified by law enforcement on May 20, 2025, that sensitive data had been stolen from its systems, prompting an internal investigation.

Law enforcement found stolen data in the possession of the individual, and the Evoke Wellness investigation confirmed unauthorized access to the records of 1,629 patients. Data obtained by the individual included full names, addresses, phone numbers, email addresses, Social Security numbers, medical records, diagnoses and treatment information, treatment dates, lab results, prescriptions, health insurance information, driver’s license numbers, passport numbers, payment card information, and financial account information.

It is unclear when the data was stolen from Evoke Wellness. The perpetrator was a former employee who had been terminated in July 2024 for reasons unrelated to the incident. It is unclear from the information released so far whether the data was stolen before or after the employee was terminated. Law enforcement has charged the individual with counterfeiting, forgery, and identity theft. Due to the nature of the stolen data and charges against the former employee, data misuse may have already occurred. The affected individuals should thoroughly check their accounts, explanation of benefits statements, and credit reports for signs of misuse of their information and should report any suspicious activity to the relevant entities and law enforcement.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Conifer Value-Based Care

Conifer Value-Based Care, LLC, part of the healthcare management company Conifer Health Solutions, has started notifying individuals about a recent security incident involving unauthorized access to an employee’s Microsoft 365-hosted business email account. The email account breach was identified on August 28, 2025, and steps were taken to contain the incident and prevent further unauthorized access. The forensic investigation confirmed that an unauthorized third party accessed the account from August 28, 2025, to August 29, 2025. The account was reviewed, and on November 10, 2025, it was confirmed that protected health information had been exposed.

The affected healthcare providers and health plans were notified about the incident on November 14, 2025, and Conifer Value-Based Care issued notifications to the affected individuals on December 5, 2025, on behalf of its HIPAA-covered entity clients. The notification sent to the California Attorney General does not state the types of information involved, only that Social Security numbers, financial account information, credit/debit card information, account passwords, and driver’s license/state IDs were not involved.

Texas Behavioral Health Network

Heart of Texas Behavioral Health Network in Central Texas is notifying 1,309 individuals about the exposure and potential theft of some of their protected health information. Heart of Texas Behavioral Health Network serves patients in six Texas counties, although the incident only affects patients in McLennan County. On November 20, 2025, Heart of Texas discovered a break-in at one of its facilities in McLennan County, and the perpetrator may have viewed or removed paper records containing patient data.

Records in the facility included patient names, addresses, birth dates, medical record numbers, diagnosis and treatment information, procedure information, Social Security numbers, and Medicaid and health insurance information. The affected individuals have been advised to remain vigilant against identity theft and fraud, and review their explanation of benefits statements, billing statements, and credit reports for suspicious activity.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist