Alert: Phishing Email Disguised as Official OCR Audit Communication

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued an alert at the end of November 2016 warning that a phishing email is being circulated on mock HHS letterhead under the signature of OCR’s Director, Jocelyn Samuels. Although the email appears to be an official government communication, it is really a phishing scam targeting employees of HIPAA-covered entities and their business associates. The phishing email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website, marketing a firm’s cyber security services. There is no government association with this email communication, and OCR requests that anyone receiving such a communication should reach out via email at [email protected]. OCR stated that the phishing email originates from the email address [email protected], which is subtly different from the official email address for OCR’s HIPAA audit program, [email protected]. Providing a familiar email address with a subtle difference is common to phishing scams. All employees should be advised of this OCR alert and be watchful for any official-appearing emails requiring action by the recipient. When in doubt, the rule should be to not click on any hyperlink provided and to not respond to the email until clearing it with IT staff, the HIPAA Privacy/Security Officer, Compliance Office, or other designated parties in order to determine whether the email is genuine or not. Those involved in phishing scams are often seeking private information to advance their schemes.