Operation PAR, Inc., Boley Centers, Inc., and PEMHS dba Eleos have jointly notified individuals of a cybersecurity incident involving unauthorized access to their network that may have exposed personal information. The organizations report that affected individuals may include patients and employees, and that credit monitoring services are being offered as a precaution while the investigation concluded that certain data may have been accessed or removed.
Operation PAR, Inc., Boley Centers, Inc., and PEMHS dba Eleos’s Data Breach Investigation
Operation PAR, Inc., Boley Centers, Inc., and PEMHS dba Eleos (collectively “the Organizations”) disclosed a cybersecurity incident involving unauthorized access to their network environment beginning on or about June 6, 2025. According to the notice, the organizations later discovered the intrusion on June 10, 2025 and immediately secured their systems while launching a full investigation.
Following discovery, the Organizations engaged external cybersecurity professionals to assist with forensic analysis and containment efforts. The investigation confirmed that unauthorized actor(s) accessed and potentially removed certain files from the network during the four-day window between June 6 and June 10, 2025.
After the technical investigation concluded, the organizations completed a detailed review of the affected data. On June 10, 2026, they determined that certain files may have contained personal information belonging to individuals associated with their services, including patients and employees.
The Organizations state that they have since strengthened their cybersecurity posture by implementing additional safeguards, enhancing internal controls, and improving monitoring systems. These steps are intended to reduce the likelihood of similar unauthorized access events in the future.
At this stage, the organizations have not reported evidence of confirmed identity theft or fraud resulting from the incident. However, they issued notice out of an abundance of caution, reflecting the standard practice in healthcare-related data incidents where sensitive personal information may have been exposed but misuse has not yet been identified.
Healthcare and behavioral health providers are frequent targets of cyberattacks due to the sensitivity of the data they maintain. Even limited exposure of names or identifying information can create downstream risks, including phishing attempts, identity theft, or fraudulent use of personal data when combined with other leaked information sources.
Because behavioral health organizations often handle deeply sensitive patient information, incidents like this can be especially concerning for affected individuals. Even when the disclosed data appears limited, the context of the organization’s services can heighten privacy expectations and the importance of data protection safeguards.
When Did This Breach Occur?
The notice states that unauthorized access to the Organizations’ network occurred between June 6, 2025 and June 10, 2025.
The intrusion was discovered on June 10, 2025, at which point the Organizations took steps to secure their systems and begin a forensic investigation.
The investigation and review of affected data were completed later, with a final determination made on June 10, 2026 regarding the individuals whose information may have been impacted.
This timeline reflects a common pattern in cybersecurity incidents where initial access occurs over a short window, but forensic review and notification processes extend significantly longer due to the complexity of data analysis and identification of affected individuals.
What Information Was Breached?
Based on the findings disclosed in the notice, the following categories of personal information may have been involved:
- First and last name
- Other personal information associated with individuals (partially redacted or unspecified in the notice excerpt)
The notice indicates that the impacted information included names and potentially additional personal data; however, the full list of exposed data elements is not fully specified in the provided disclosure.
Because the scope of additional information is not clearly defined in the publicly available notice excerpt, individuals should assume that their personal identifiers may be at risk and take appropriate precautionary measures.
Even exposure of basic identifying information can increase risk when combined with other datasets. In behavioral health contexts, the sensitivity of association alone can also create privacy concerns, particularly if communications or targeting attempts are made using inferred affiliation with healthcare services.
What You Can Do
If you received a notice from the Organizations or believe you may have been affected, it is important to take proactive steps to protect your personal information.
Start by monitoring your financial accounts and credit reports for any unfamiliar activity, including new accounts, unauthorized inquiries, or changes to personal information. Even if only limited data was exposed, attackers may attempt to use it in broader identity theft or phishing campaigns.
You should also remain alert for suspicious communications. Cybercriminals often exploit breach events to send emails, texts, or phone calls that appear legitimate but are designed to collect additional sensitive information. Do not provide personal details unless you can independently verify the source.
If credit monitoring services are offered, enrolling can help detect changes to your credit file and provide early warning of potential misuse. Additionally, consider placing a fraud alert or credit freeze with major credit bureaus to add further protection.
Finally, individuals should report any suspicious financial or medical activity promptly to the appropriate institution. Early detection can significantly reduce the impact of identity misuse.
File a Data Breach Lawsuit Against Operation PAR, Boley Centers, and Eleos
Organizations that collect and maintain sensitive personal information have a legal obligation to implement reasonable safeguards to protect that data. When unauthorized access occurs, affected individuals may have questions about whether those safeguards were sufficient and whether their personal information was properly protected.
Even when no fraud has been confirmed, individuals may still experience harm in the form of time spent reviewing accounts, enrolling in credit monitoring, and taking preventive steps to protect against identity theft. These impacts can be significant, particularly in cases involving healthcare or behavioral health providers.
If you received a notice from the Organizations, believe your personal information may have been impacted, or took protective actions as a result of this incident, you may have legal options available. Acting with others in similar situations may help bring clarity and accountability regarding how the incident occurred and how personal data was handled.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.