FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign

Posted by Steve Alder

The Federal Trade Commission (FTC) has proposed a $1.9 million settlement to resolve claims that Evoke Wellness, a Florida-based substance use disorder treatment clinic, engaged in deceptive business practices and deliberately misled consumers who were seeking substance use disorder treatment by pretending to be other clinics.

According to the January 2025 complaint, Evoke Wellness, LLC, Evoke Health Care Management, and their officers, Jonathan Mosley and James Hull, conducted a deceptive Google Ads campaign targeting consumers conducting online searches for substance use disorder treatment clinics. According to the FTC, the campaign used the specific names of other clinics as keywords to ensure Evoke’s ads appeared when searches were made for those clinics. The ads prominently displayed the names of the impersonated clinics, misleading consumers into calling the telephone number for Evoke’s telemarketing call center.

When the number was called, the Evoke telemarketers would explain that they had reached a centralized admissions office or an addiction treatment hotline, rather than an Evoke call center. Even when the caller maintained that they wanted to deal with the specific clinic they were trying to reach, the telemarketers continued with the deception, falsely claiming they had a relationship with that clinic.

In the complaint, the FTC alleged that the campaign ran over 2 years from 2021 through 2023 and involved at least 68,510 misleading Google search ads. The campaign is alleged to have generated at least 3,500 calls from individuals seeking treatment for substance use disorder. The FTC alleges that Evoke’s conduct violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018.

The consent order imposes a $7 million civil monetary penalty on the defendants to resolve the FTC’s claims; however, only $1.9 million is payable due to the defendants’ financial position. The consent order prohibits Evoke from impersonating other businesses and substance use disorder clinics, and engaging in deceptive advertising practices such as using competitors’ names in search engine advertisements and making misrepresentations related to their substance use disorder services. Evoke is also required to establish a compliance program that must include monitoring its call centers for misrepresentations and taking corrective action against any agent who violates the consent order.

Should Evoke be later found to have violated the terms of the consent order, the suspended portion of the civil monetary penalty will become immediately payable. The proposed consent order was filed in the U.S. District Court for the Southern District of Florida and now awaits approval from the District Court Judge. “Opioids have ravaged American communities, killing well over one hundred Americans per day and ruining the lives of countless others,” said FTC Chairman Andrew N. Ferguson. “Today’s settlement helps consumers affected by opioid addiction navigate their path to recovery by preventing fraudsters from leading them astray.”

The post FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign appeared first on The HIPAA Journal.

PHI Stolen in Sensata Technologies Ransomware Attack

Posted by Steve Alder

A ransomware attack on Sensata Technologies involved the theft of health and wellness plan data. A former Evoke Wellness employee has been accused of stealing patient data for identity theft, and limited PHI has been impermissibly disclosed due to mailing errors at Blue Shield of California and AffirmedRx PBC.

Sensata Technologies Hit with Ransomware Attack

Sensata Technologies, Inc., a leading industrial technology firm that makes sensor and control solutions, has been hit with a ransomware attack. The attack was identified on April 6, 2025, when files were encrypted on its network. Sensata implemented its response protocols to contain the incident, and an investigation was launched with assistance provided by a third-party cybersecurity firm. Law enforcement was also notified about the attack.

The forensic investigation confirmed that the ransomware group had access to its network between March 28, 2025, and April 6, 2025, during which time files were accessed and copied from its network. Over the past two months, Sensata reviewed the affected files and has confirmed that they contained the personal and protected health information of 15,630 members of the company’s Health and Welfare Benefit Plan.

In addition to names and addresses, one or more of the following data types were involved: date of birth, Social Security number, tax identification number, driver’s license number or state-issued identification card number, passport number, other government-issued identification number, financial account information, payment card information, medical information, and/or health insurance information. Individual notification letters have been mailed, and complimentary credit and identity monitoring have been offered to the affected individuals. Sensata has confirmed that it is taking steps to enhance security.

Former Evoke Wellness Employee Accused of PHI Theft, Identity Theft, And Fraud

A former employee of an Evoke Wellness addiction treatment center in Hilliard, Ohio, has been accused of stealing patients’ protected health information for identity theft and fraud. A police investigation was launched after police conducted a vehicle stop and found four fraudulent IDs and twenty-four pre-paid cards in the man’s possession. The man was employed by Evoke Wellness between November 2021 and July 2024, and allegedly accessed patient data and obtained names, contact information, dates of birth, and Social Security numbers without authorization. Evoke Wellness was unaware of the data theft until notified by law enforcement, and launched an internal investigation and confirmed the unauthorized access.

So far, the police investigation has identified 240 victims, although the actual number could be much higher. The man has also been accused of selling stolen data on the dark web to individuals who used the information to fraudulently obtain funds and rack up credit card charges in the victims’ names. Evoke Wellness has not yet listed the breach on its website, and there is no breach report on the HHS’ Office for Civil Rights breach portal. That said, media notices are only required for breaches affecting 500 or more individuals, and OCR does not list data breaches affecting fewer than 500 individuals on its data breach portal.

Blue Shield of California Data Merge Error Results in Impermissible PHI Disclosure

The health plan provider, Blue Shield of California (BSC), has notified 1,543 individuals about an impermissible disclosure of their protected health information. On April 4, 2025, BSC discovered that an incorrect data merge resulted in certain BSC members’ data being added to other members’ data, which could be viewed in the Member Health Record feature on its member portal.

An investigation was launched, which confirmed that the error involved an identifying key being assigned to two or more different individuals, even though they had different names, dates of birth, and Social Security numbers. The mail merge occurred on June 27, 2024, and was identified on April 4, 2025, when the data was immediately suppressed.

The data potentially viewed by other members was limited to member visit information, visit dates, medications, immunization records, lab results, diagnoses, and health conditions. The merged information did not involve another member’s name, date of birth, Subscriber identification number, address, phone number, email address, or highly sensitive information such as their Social Security number, driver’s license number, or financial information. Out of an abundance of caution, BSC has offered the affected individuals complimentary access to the Experian IdentityWorks identity theft protection service for 12 months.

AffirmedRx PBC Mailing Error Results in PHI Disclosure

AffirmedRx PBC, a Louisville, Kentucky-based pharmacy benefits management company, has notified 1,089 members about an impermissible disclosure of some of their protected health information. On May 16, 2025, AffirmedRx PBC identified an error with a mailing involving letters sent on May 14, 2025. The letters advised the recipient about a change in medication information.

The error resulted in a mismatch of names and addresses on the envelopes. The letters included an individual’s name and medication information only, and in each instance, were sent to the address of one other member. AffirmedRx PBC has advised anyone receiving a letter from AffirmedRx PBC dated May 14, 2025, to disregard the information in the letter and to destroy that letter, and if not yet opened, to mail the letter after clearly adding “return to sender” to the envelope.

AffirmedRx PBC has implemented additional safeguards to prevent similar incidents in the future and has provided additional training to appropriate personnel to reinforce its privacy protocols.

The post PHI Stolen in Sensata Technologies Ransomware Attack appeared first on The HIPAA Journal.

Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime

Posted by Steve Alder

Companion bills have recently been introduced in the House of Representatives and the Senate that seek to make violent attacks on employees of hospitals and healthcare organizations a federal crime. Data released by the U.S. Bureau of Labor Statistics in 2018 revealed that healthcare workers are five times more likely to experience violence in the workplace than workers in other industries. In 2018, healthcare workers accounted for 73% of all nonfatal workplace injuries and illnesses due to violence, and there was an increase in violent incidents during the COVID-19 pandemic.

In January 2024, a poll conducted by the American College of Emergency Physicians revealed that 91% of respondents had either personally experienced violence in the workplace or were aware of a colleague who was a victim of violence in the past year. 40% of respondents said they knew of an attack on a healthcare worker in a trauma center that resulted in moderate to severe disability or death. Last year, the American College of Surgeons reported an increase in violence against surgeons. Jay J. Doucet, MD, MSc, FRCSC, FACS, director of the trauma division at the University of California (UC) San Diego Health, said, “We’ve had six surgeons killed in the last few years.”

While many incidents are perpetrated by patients in emergency rooms and psychiatric units, healthcare workers are also assaulted in other settings, including home health, doctor’s surgeries, maternity units, and elsewhere, and not just by patients. There have been reports of violent behavior from visitors, intimate partners, outsiders, and coworkers.

Violence in the workplace is contributing to an increase in work-related stress, burnout, and job dissatisfaction, and has led many workers to quit the profession. The risk of violence is also making recruitment more difficult. A 2024 National Nurses United Report warned that high and rising rates of workplace violence and employer failure to implement effective prevention strategies are contributing to the current staffing crisis. A 2023 survey revealed that almost half of nurses (45.5%) reported an increase in workplace violence in the past year, and six in 10 nurses reported having either changed or left their job or profession or considered doing so due to workplace violence.

The increase in violence against healthcare workers has prompted bipartisan legislation to make attacks on healthcare workers a federal crime. The bipartisan Save Healthcare Workers Act was introduced last month in the Senate (S.1600) by Sens. Cindy Hyde-Smith (R-MI) and Angus King (I-ME), and the companion House bill (H.R. 3178) by Reps. Mariannette Miller-Meeks (R-IA) and Madeleine Dean (D-PA).  The proposed legislation would give healthcare workers similar protections as workers in the airline industry.

There have been previous attempts to introduce similar legislation, such as the Safety from Violence for Healthcare Employees (SAVE) Act in 2023, but none have been successful. While around thirty states have introduced laws that make attacks on healthcare workers a felony, federal legislation is required to discourage attacks and ensure the perpetrators face appropriate justice.

“State and local authorities are now and will continue to be responsible for prosecuting the overwhelming majority of violent crimes in the United States, including assault and intimidation against hospital employees,” according to the bill. “These authorities can address the problem of assault and intimidation against hospital employees more effectively with greater Federal law enforcement involvement… existing Federal law is inadequate to address the problem.”

The legislation calls for federal prison sentences of up to 10 years for attacks on healthcare workers, and enhanced penalties for acts of violence against healthcare workers involving a deadly or dangerous weapon or inflicting bodily injury. Those more serious attacks, as well as violent acts committed during emergency declarations, would be punishable with a jail term of up to 20 years. The legislation has exemptions from prosecution for individuals with intellectual or physical disabilities.

“I believe the federal government can help deter violence and keep our healthcare workers safe by establishing stronger penalties for those who assault hospital employees,” Hyde-Smith said. “Our legislation will protect these workers and, importantly, the people who rely on their care.”

The post Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime appeared first on The HIPAA Journal.

Optical Software Solution Provider Ocuco Reports 241K-Record Data Breach

Posted by Steve Alder

Ocuco Inc., a Dublin, Ireland-based provider of optical software solutions for eyecare businesses, has recently notified the HHS’ Office for Civil Rights about a data breach involving the protected health information of 240,961 individuals.

Ocuco claims to be the world’s largest provider of retail optical software solutions, with its US operations based in Florida. Ocuco’s software includes the Acuitas practice management and electronic health record system, which is used by thousands of eye care practices, clinics, and lens manufacturing labs.

Relatively little information has been released by Ocuco about the data breach at the time of writing, other than the information disclosed in the May 30, 2025, OCR breach report, which lists the incident as a network server hacking incident. This appears to have been a ransomware attack by a ransomware group known as Killsec, aka Kill Security.

Killsec claims to be a hacktivist group, but it is a financially motivated ransomware-as-a-service organization that targets government agencies and private sector businesses. On April 1, 2025, Killsec added Ocuco to its dark web data leak site, and the stolen data has since been listed for download, which suggests the ransom was not paid.

While the HIPAA Journal has not verified whether protected health information is available for download, the fact that the data breach has been reported to the HHS’ Office for Civil Rights shows that protected health information has been exposed and most likely stolen in the attack.

The dark web data leak site listing includes screenshots of the stolen data, including business files, appointment information, and several folders related to U.S. and Canadian eyecare clients, including Costco, HoustonEye, Kaiser, Mayo Clinic, Optos, Specsavers, and more. Several law firms have already opened investigations into potential class action lawsuits in response to the data breach.

This post will be updated when further information becomes available.

The post Optical Software Solution Provider Ocuco Reports 241K-Record Data Breach appeared first on The HIPAA Journal.