The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently issued an alert concerning a phishing email being circulated on mock HHS letterhead. Although the email appears to be an official government communication from the OCR Director, it is a phishing scam targeting employees of HIPAA-covered entities and their business associates. The email prompts recipients to click on a link regarding possible inclusion in the Health Insurance Portability and Accountability Act (HIPAA) audit program. The link directs individuals to a third-party website marketing a firm’s cyber security services, but the email communication has no association with the government. Further, OCR stated that the phishing email originates from the email address “OSOCRAudit@hhs-gov.us,” which is slightly different from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov.
Phishing scams commonly involve providing a familiar email address with a subtle difference. All employees should be watchful for any official-appearing emails requiring recipient action. When in doubt, employees should avoid clicking on any hyperlink provided and abstain from responding to such emails until clearing the email with IT staff, the HIPAA Privacy and Security Officer, Compliance Officer, or other designated parties in order to determine whether the email is genuine. Those involved in phishing scams often seek private information to further advance their schemes.
The OCR Alert is available at: