Risk alert — Phishing emails sent as official OCR communication

November 23, 2016 Cathy Bryant

The Office of Civil Rights (OCR) is alerting physician practices, their business associates, and other HIPAA-covered entities about phishing emails that are being sent disguised as official OCR audit communication.

The emails are being sent on falsified U.S. Department of Health and Human Services (HHS) letterhead under the signature of OCR’s Director, Jocelyn Samuels.

The emails prompt recipients to click on a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link leads to a non-governmental website marketing a firm’s cyber security services. In no way is this firm associated with the HHS or OCR. 

The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.









Covered entities and business associates should alert their employees of this issue and note that official communications regarding the HIPAA audit program are sent from the email address OSOCRAudit@hhs.gov.

In addition, OCR has notified select business associates of their inclusion in Phase 2 HIPAA audits.  For more information on the HIPAA Phase 2 Audits, please visit the OCR’s audit program website.

TMLT provides Cyber Risk Management services to physicians. Learn more at our cyber risk management page.




About the Author

Cathy Bryant

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at cathy-bryant@tmlt.org.

Visit Website More Content by Cathy Bryant
Previous Article
Authentication — A vulnerability in your practice?

Under the ever-present threat of an attack by cyber criminals, health care entities are taking a closer loo...

Next Presentation
Things to consider before buying cyber liability insurance
Things to consider before buying cyber liability insurance

This presentation introduces actionable steps to help prepare for and mitigate cyber threats.

Podcast: Tech, Telemedicine, Tomorrow