- The HHS Office of Inspector General (OIG) hotline number for reporting fraud was recently spoofed, according to an HHS statement.
Individuals reported receiving phone calls claiming to be from HHS OIG, requesting that they confirm personal information and even wire money in some cases.
HHS Assistant Inspector General for Investigations Thomas O’Donnell explained that thousands of calls using the spoofed number were made across the US. However, only a handful of individuals sent money to the fraudsters.
“The office was first informed of the spoofing attack in February by a member of the public, who reported receiving a call from the hotline number,” HHS noted. “OIG immediately launched an investigation. O’Donnell said Verizon Communications, which handles calls for several government agencies at a call center at Louisiana State University in Baton Rouge, noted that thousands of outgoing calls were being made from the hotline.”
O’Donnell added that the OIG hotline does not make outgoing calls, and only receives calls.
HHS stated that the callers will tell individuals that they will receive “government grant money” if the individuals pay their taxes on time. Then, the callers request personal information (i.e. Social Security numbers, bank account number).
“They can spoof any legitimate number,” O’Donnell warned, saying that other HHS agencies may have been attacked by scammers who used spoofed numbers. He confirmed that the OIG data systems were not breached.
HHS urged individuals to take advantage of their patient privacy rights under HIPAA, such as being able to inspect and receive a copy of their own medical records. Additionally, individuals can have records amended or corrected when inaccuracies are found and also file a complaint if they believe their privacy rights have been violated.
“The HHS CyberCARE team also urges you to add a cyber checkup to your annual to-do list,” the HHS statement explained. “Your online posts, comments, tags and followers create a wealth of personal information that bad actors can use to steal your identity and manipulate you into giving up even more confidential information.”
O’Donnell stressed that the government does not “sell” grants and that the OIG would never contact the public through the hotline to either request or confirm information.
Scammers may attempt a variety of tactics to goad information out of individuals, HHS advised. Regardless of “how authoritative a caller may sound,” the agency maintained that individuals should never give out personal details such as their date of birth, Social Security number, or credit card or bank account information.
Unfortunately, this is not the first time that a government agency was involved in a scam.
In November 2016, OCR reported a phishing scam targeting HIPAA covered entities and business associates. An email with a mock HHS department letterhead and OCR Director Jocelyn Samuels’ signature was being sent out. It was meant to look like official OCR Audit communication, the agency said.
“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR stated. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”
An update sent two days after the initial warning explained that the fraudulent email prompted “recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website, marketing a firm’s cybersecurity services.”
However, OCR said it had already notified selected business associates that were being included in the Phase 2 HIPAA audits.
“OCR would like to further share that this phishing email originates from the email address [email protected] directs individuals to a URL at http://www.hhs-gov.us,” OCR maintained. “This is a subtle difference from the official email address for our HIPAA audit program, [email protected], but such subtlety is typical in phishing scams.”