- UPDATE: OCR released an additional update on November 30 with new details regarding the phishing scam.
Employees of HIPAA covered entities and their business associates should be aware of an alleged phishing scam that is using Department of Health and Human Services (HHS) letterhead, according to an OCR email sent out on November 28, 2016.
The email is using a mock HHS department letterhead and OCR Director Jocelyn Samuels’ signature. It is meant to look like official OCR Audit communication, the agency stated.
“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR warned. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”
OCR maintained that the firm sending the email is not associated with the agency or with HHS.
“We take the unauthorized use of this material by this firm very seriously,” the email read. “In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at [email protected].”
UPDATE: On November 30, 2016, OCR sent out another email discussing the phishing scam targeting HIPAA covered entities and business associates.
OCR explained that the email in question “prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website, marketing a firm’s cybersecurity services.”
“OCR would like to further share that this phishing email originates from the email address [email protected] directs individuals to a URL at http://www.hhs-gov.us,” OCR said. “This is a subtle difference from the official email address for our HIPAA audit program, [email protected], but such subtlety is typical in phishing scams.”
Covered entity and business associate employees should be warned of the phishing email, and be reminded that official HIPAA audit communications are sent from [email protected]
OCR added that it has already notified selected business associates that are included in the Phase 2 HIPAA audits.