HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning to healthcare organizations about a new phishing email campaign that uses an official-looking OCR letterhead and the signature of OCR Director Jocelyn Samuels.

Phishing emails usually encourage the recipients to click on malicious links that direct them to websites where malware is downloaded, to open infected email attachments, or to reveal sensitive information. In this case, the emails contain a link to the website of a cybersecurity firm. The website does not appear to be malicious in nature, instead, the email appears to be a marketing ploy to get healthcare organizations to sign up for the firm’s services.

The firm uses the HIPAA compliance audits to lure email recipients into clicking on the link. The emails claim to be official communications about the current round of HIPAA compliance audits and the possible inclusion of the recipient’s organization in the audit program.

Samuels says in the OCR’s official email about the scam, “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.” Samuels also said OCR takes the unauthorized use of OCR material very seriously, although no mention is made about whether any action will be taking against the firm.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The warning was sent via email on November 28 and a follow up email was sent on November 30 providing further information about the scam. The second communication includes the email address that is beinbg used by the cybersecurity firm – a variation of the official email address used by OCR to communicate with healthcare organizations that have been selected for a HIPAA compliance audit.

OCR communicates with healthcare organizations about HIPAA audits using the email account – [email protected]. The fake emails from the security firm have been sent from the email account: [email protected]. This is a common tactic used by spammers and scammers to make their email campaigns appear genuine. In this case, the spoofed domain was registered on November 18, 2016 by a cybersecurity firm based in Miami, Florida.

The incident highlights how important it is for healthcare organizations to exercise caution when opening and responding to any official-looking email about HIPAA compliance. If in any doubt about the authenticity of an email from OCR relating to the HIPAA compliance audits, an email should be sent to [email protected] to confirm whether the email is genuine. If in any doubt about a domain, it is possible to conduct a check to find out the owner of the domain on whois.com.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.