Evoke Wellness: How a Trusted Employee Exploited Access for Nearly Three Years

The cybersecurity world constantly buzzes about external threats,  hackers, ransomware, and nation-state actors. But sometimes the most devastating breaches come from the people we trust most: our own employees. A recent case out of Hilliard, Ohio, proves that insider threats can be just as dangerous as any external attack, and they're often much harder to detect.

‍

When Trust Becomes a Weapon

Alexander Perry seemed like any other employee at Evoke Wellness, an addiction treatment center in Ohio. From November 2021 to July 2024, he showed up to work and had access to what he needed. What his employers didn't know was that Perry was systematically exploiting his privileged access to steal patient data and sell it on the dark web.

Police have identified 240 victims so far, with many more potentially affected. For nearly three years, Perry had access to the facility's entire patient database, harvesting sensitive personal information from vulnerable individuals seeking addiction treatment.

‍

The investigation only began after an unrelated traffic stop in October 2024, when officers found fraud-related materials in Perry's vehicle. This discovery method underscores a key challenge: insider threats are often uncovered by accident rather than through proactive security monitoring.

‍

Why Three Years Went Undetected

What makes this case particularly troubling is the duration. This wasn't a quick grab-and-dash operation but a sustained, methodical exploitation of trust and access privileges. Detective Chris Crabtree noted that Perry "had access to their entire database, so there are victims outside the state as well."

‍

The Perry case exemplifies why insider threats are so difficult to detect:

‍

Legitimate Access: Unlike external attackers who need to break in, insiders already have the keys. Perry didn't need to hack anything – he simply used his authorized access. From a technical standpoint, his actions likely looked identical to legitimate work activities.

‍

Trust-Based Security: Most organizations, especially smaller ones, operate on trust-based security models. You hire someone, conduct background checks, and trust them to do the right thing. This creates blind spots for malicious insiders.

‍

Limited Monitoring: Many organizations lack sophisticated monitoring systems that detect unusual data access patterns. Even when monitoring exists, it's often focused on external threats rather than internal activities.

‍

Gradual Theft: Unlike massive breaches that create obvious alerts, insider threats often involve gradual data collection. A few patient records accessed here and there might not trigger alarms, especially if the access appears work-related.

The Universal Problem

This case occurred at a relatively small, specialized healthcare facility. Insider threats aren't just a "big company problem" – they affect organizations of any size. Smaller organizations may be more vulnerable because they often have less sophisticated security monitoring, fewer resources, and more informal access controls.

‍

Healthcare faces particular challenges. Medical facilities must balance patient care needs with security requirements, often prioritizing accessibility to ensure staff can quickly access critical patient information. This necessary accessibility creates opportunities for abuse.

‍

How Modern Solutions Could Have Changed Everything

The Perry case highlights exactly why traditional security approaches fail with insider threats. But it also demonstrates how next-generation detection could have dramatically altered this story.

‍

Consider what a solution like InnerActiv could have detected during Perry's operation:

‍

Multi-Vector Risk Analysis: InnerActiv's platform would have correlated Perry's data access patterns, behavioral changes, and fraud indicators. The systematic nature of his data collection would have triggered risk scoring alerts much earlier.

‍

Real-Time Risk Scoring: AI-infused analytics could have identified Perry's behavioral deviations from established baselines. As he began accessing patient records in unusual patterns, the system would have assigned escalating risk scores, flagging activity for investigation.

‍

Fraud Detection Integration: This case perfectly illustrates the convergence of data loss prevention and fraud detection that InnerActiv specializes in. Perry's activities weren't just data theft – they were part of a sophisticated fraud operation. InnerActiv's fraud sensors are designed to identify these schemes.

‍

Application-Agnostic Monitoring: Healthcare facilities use mixed systems – custom applications, legacy software, proprietary databases. InnerActiv's endpoint-centric approach monitors behavior across all applications without requiring API integrations.

‍

The key difference is detection speed. While Perry operated undetected for nearly three years, InnerActiv's converged approach would likely have identified suspicious patterns within weeks or months.

‍

The Real Impact

The victims weren't just database entries – they were vulnerable people seeking addiction treatment. The theft adds another violation to people already in crisis. Many now face years of credit monitoring, identity theft consequences, and emotional trauma from having their privacy violated during treatment.

‍

For Evoke Wellness, this represents not just a security failure but a fundamental breach of patient trust. The facility's reputation and broader confidence in addiction treatment services may suffer lasting damage.

‍

Key Takeaways

The Evoke case offers critical lessons:

‍

Trust, but Verify: Balance trust with appropriate oversight. Regular data access audits can identify unusual patterns.

‍

Least Privilege Access: Employees should access only the data needed for their specific roles. Perry's access to the entire database was likely broader than necessary.

‍

Modern Detection Required: Traditional security tools aren't designed for insider threats. Organizations need solutions that correlate behavior patterns, detect fraud indicators, and provide real-time risk scoring.

‍

Size Doesn't Matter: Insider threats affect all organizations. Small facilities need the same sophisticated detection capabilities as large enterprises.

‍

A Lesson Learned

The Perry case won't be the last insider threat we see. As long as organizations rely on people to handle sensitive data, some will abuse that trust. But the difference between a three-year criminal enterprise and a quickly contained incident often comes down to having the right detection capabilities.

‍

The technology exists to detect these threats early. Advanced platforms like InnerActiv make enterprise-grade threat detection accessible to organizations of all sizes, providing multi-vector analysis and real-time risk scoring that can catch malicious insiders before they cause massive damage.

‍

In cybersecurity, we often focus on keeping bad actors out. But sometimes the threat is already inside. The most effective security strategies recognize that trust is essential, but continuous, intelligent verification is equally important, especially when that verification can connect the dots between suspicious data access and potential fraud before it's too late.

‍