Phishing Alert from the Office of Civil Rights
OCR Alert: Phishing Email Disguised as Official OCR Audit Communication
The Department of Health and Human Services’ Office for Civil Rights has alerted the public to a phishing email targeting employees of entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and their business associates. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
The email being circulated is on mock HHS Departmental letterhead and appears to be an official government communication from OCR Director, Jocelyn Samuels, which prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. However, the link directs individuals to a nongovernmental website marketing a firm’s cybersecurity services. In a statement released November 28, 2016, the OCR stated, “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.”
The phishing email originated from the email address of OSOCRAudit@hhs.gov.us and directed individuals to the URL http://hhs.gov.us. However, the official email address for the audit program is OSOCRAudit@hhs.gov. The very subtle difference is typical of phishing scams. We highly recommend that all Covered Entities and Business Associates alert their employees of this issue and take note that official communications regarding the HIPAA audit program are only be sent to selected auditees from the email address OSOCRAudit@hhs.gov.
Remember that an important element of HIPAA Security Rule compliance is to train end users not to fall for phishing and other social engineering scams. Doing so may lead to a data breach under the HIPAA Security Rule. The irony of this phishing attack is that it is targeted at HIPAA security officers. All HIPAA Covered Entities and Business Associates are advised to be on the lookout for this email and to take standard precautions to determine the validity of all emails received. These precautions include, but are not limited to:
- Checking for obvious spelling mistakes and overly broad language
- Take time to hover your cursor over a link to view the path to make sure it is correct
- Looking for malicious attachments – never open an attachment you are unsure of
- Reviewing the address of the email sender
Organizations with questions as to whether they have received a legitimate communication regarding the audit program can email the agency at OSOCRAudit@hhs.gov or contact one of the authors at Woods Rogers listed above.