Healthcare Information Security

Latest Health Data Breaches News

OCR Warns of Phishing Scam to HIPAA Covered Entities

The Office for Civil Rights announced that a phishing scam is using HHS letterhead to target HIPAA covered entities’ employees.

UPDATE: OCR released an additional update on November 30 with new details regarding the phishing scam. 

Phishing scam impersonating official OCR audit communication

Employees of HIPAA covered entities and their business associates should be aware of an alleged phishing scam that is using Department of Health and Human Services (HHS) letterhead, according to an OCR email sent out on November 28, 2016.

The email is using a mock HHS department letterhead and OCR Director Jocelyn Samuels’ signature. It is meant to look like official OCR Audit communication, the agency stated.  

“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR warned. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”

OCR maintained that the firm sending the email is not associated with the agency or with HHS.

“We take the unauthorized use of this material by this firm very seriously,” the email read. “In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at .(JavaScript must be enabled to view this email address).”

UPDATEOn November 30, 2016, OCR sent out another email discussing the phishing scam targeting HIPAA covered entities and business associates. 

OCR explained that the email in question “prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website, marketing a firm’s cybersecurity services.”

“OCR would like to further share that this phishing email originates from the email address .(JavaScript must be enabled to view this email address) directs individuals to a URL at http://www.hhs-gov.us,” OCR said. “This is a subtle difference from the official email address for our HIPAA audit program, .(JavaScript must be enabled to view this email address), but such subtlety is typical in phishing scams.”

Covered entity and business associate employees should be warned of the phishing email, and be reminded that official HIPAA audit communications are sent from OSOCRAudit@hhs.gov.

OCR added that it has already notified selected business associates that are included in the Phase 2 HIPAA audits.

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks