Risk alert — Phishing emails sent as official OCR communication

November 23, 2016 Cathy Bryant

The Office of Civil Rights (OCR) is alerting physician practices, their business associates, and other HIPAA-covered entities about phishing emails that are being sent disguised as official OCR audit communication.

The emails are being sent on falsified U.S. Department of Health and Human Services (HHS) letterhead under the signature of OCR’s Director, Jocelyn Samuels.

The emails prompt recipients to click on a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link leads to a non-governmental website marketing a firm’s cyber security services. In no way is this firm associated with the HHS or OCR.

The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.

Official	Scam
OSOCRAudit@hhs.gov	OSOCRAudit@hhs-gov.us

Covered entities and business associates should alert their employees of this issue and note that official communications regarding the HIPAA audit program are sent from the email address OSOCRAudit@hhs.gov.

In addition, OCR has notified select business associates of their inclusion in Phase 2 HIPAA audits. For more information on the HIPAA Phase 2 Audits, please visit the OCR’s audit program website.

TMLT provides Cyber Risk Management services to physicians. Learn more at our cyber risk management page.

About the Author

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at cathy-bryant@tmlt.org.
Visit Website More Content by Cathy Bryant

Authentication — A vulnerability in your practice?

Under the ever-present threat of an attack by cyber criminals, health care entities are taking a closer loo...

Next Presentation

Things to consider before buying cyber liability insurance

This presentation introduces actionable steps to help prepare for and mitigate cyber threats.

Podcast: Tech, Telemedicine, Tomorrow

LISTEN

Return to Hub Home

Risk alert — Phishing emails sent as official OCR communication

About the Author

Previous Article

Next Presentation

Other content in this Stream

The OCR is warning about an increase in malicious behavior by cyber criminals seeking access to protected health information.

On-demand webinar discussing: HIPAA and patient privacy; sharing PHI with public health authorities; and preparing for coronavirus in your practice.

These incidents highlight the catastrophic consequences of ransomware attacks.

The hospital received an email invoice from the ED group with instructions to send payment to a new account.

Our increased dependency on teleconferencing has created new opportunities and incentives for cyber criminals to hack into video calls.

HHS OCR announced it will waive potential HIPAA penalties against health care providers using telehealth services to care for patients during the COVID-19 national emergency.

HIPAA and public health emergencies: updates from the OCR

As more cyber crime victims choose to pay ransom, cybercriminals are employing customer service tactics to engage with victims.

Simply complying with the HIPAA Security Rule is not enough to ensure your practice is equipped with strong cyber security. Robert Felps and Ed Jones of Third Rock, a top cyber risk management firm, s

Learn what could happen if the OCR investigates your practice, for either a breach or a complaint. TMLT hosts Kassie Toerner and Cathy Bryant are joined by a Texas physician who survived an OCR invest

Data security and control of information in health care lag behind other industries.

TMLT offers four steps to help you prepare.

Case examples that describe how the new Texas privacy laws will affect physicians.

In this webinar recording, we discuss the HIPAA Security Rule requirement to regularly review records of information system activity. During this interactive, fast-paced session, our experts: - explo

HIPAA compliance is a journey, not a destination — and that journey needs to be funded. Unfortunately, HIPAA and cyber security budgets are often seriously underfunded by health care organizations – o

On October 27, the HHS Office for Civil Rights issued guidance on how HIPAA allows information sharing to respond to the opioid crisis.

The amount you can charge for supplying copies of medical records has changed, as the Office of Civil Rights has issued guidance that clarifies allowable fees.

HHS and OCR are reminding HIPAA-covered entities and their business associates that protections of the HIPAA Privacy Rule are not “set aside” during an emergency.

Corrective actions taken to enhance privacy and security may introduce usability issues.

John Southrey, director of consulting services at TMLT, describes the costs - both direct and indirect - of a cyber data breach.