The Office for Civil Rights (OCR) has issued an alert warning healthcare providers about a phishing scam disguised as an official communication from the Department of Health and Human Services.
Scam artists are circulating the email on fake HHS letterhead with the signature of Jocelyn Samuels, OCR’s director. It is aimed at covered entities and business associates, appearing to be an official government communication. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, but the link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.
“In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights,” OCR states in the alert. “We take the unauthorized use of this material by this firm very seriously.”
The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address of the HIPAA audit program: OSOCRAudit@hhs.gov.
“Covered entities and business associates should alert their employees of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address OSOCRAudit@hhs.gov,” according to the alert.