- UPDATE: OCR released an additional update on November 30 with new details regarding the phishing scam.
Employees of HIPAA covered entities and their business associates should be aware of an alleged phishing scam that is using Department of Health and Human Services (HHS) letterhead, according to an OCR email sent out on November 28, 2016.
The email is using a mock HHS department letterhead and OCR Director Jocelyn Samuels’ signature. It is meant to look like official OCR Audit communication, the agency stated.
“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR warned. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”
OCR maintained that the firm sending the email is not associated with the agency or with HHS.
UPDATE: On November 30, 2016, OCR sent out another email discussing the phishing scam targeting HIPAA covered entities and business associates.
OCR explained that the email in question “prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website, marketing a firm’s cybersecurity services.”
Covered entity and business associate employees should be warned of the phishing email, and be reminded that official HIPAA audit communications are sent from OSOCRAudit@hhs.gov.
OCR added that it has already notified selected business associates that are included in the Phase 2 HIPAA audits.