OCR Warns of Phishing Scam to HIPAA Covered Entities
Written by Editor   
Monday, December 05, 2016 12:00 AM

News Bite: While requiring that HIPAA covered entities be notified via email, the HHS has announced a phishing scam using official HHS letterhead and signatures.


Employees of HIPAA covered entities and their business associates should be aware of an alleged phishing scam that is using Department of Health and Human Services (HHS) letterhead, according to an OCR email.  The email is using a mock HHS department letterhead and OCR Director Jocelyn Samuels’ signature. It is meant to look like official OCR Audit communication, the agency stated.

“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR warned. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”  OCR maintained that the firm sending the email is not associated with the agency or with HHS.

“OCR would like to further share that this phishing email originates from the email address OSOCRAudit@hhs-gov.usand directs individuals to a URL at http://www.hhs-gov.us,” OCR said. “This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.”

Covered entity and business associate employees should be warned of the phishing email, and be reminded that official HIPAA audit communications are sent from OSOCRAudit@hhs.gov.

“We take the unauthorized use of this material by this firm very seriously,” the email read. “In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at osocraudit@hhs.gov.”


Source: http://healthitsecurity.com/news/ocr-warns-of-phishing-scam-to-hipaa-covered-entities