Risk alert — Phishing emails sent as official OCR communication

The Office of Civil Rights (OCR) is alerting physician practices, their business associates, and other HIPAA-covered entities about phishing emails that are being sent disguised as official OCR audit communication.

The emails are being sent on falsified U.S. Department of Health and Human Services (HHS) letterhead under the signature of OCR’s Director, Jocelyn Samuels.

The emails prompt recipients to click on a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link leads to a non-governmental website marketing a firm’s cyber security services. In no way is this firm associated with the HHS or OCR. 

The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.

Covered entities and business associates should alert their employees of this issue and note that official communications regarding the HIPAA audit program are sent from the email address OSOCRAudit@hhs.gov.

In addition, OCR has notified select business associates of their inclusion in Phase 2 HIPAA audits.  For more information on the HIPAA Phase 2 Audits, please visit the OCR’s audit program website.

TMLT provides Cyber Risk Management services to physicians. Learn more at our cyber risk management page.