OCR Warns Healthcare Organizations of Fake HIPAA Audit Emails

Share this article on:

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning to healthcare organizations about a new phishing email campaign that uses an official-looking OCR letterhead and the signature of OCR Director Jocelyn Samuels.

Phishing emails usually encourage the recipients to click on malicious links that direct them to websites where malware is downloaded, to open infected email attachments, or to reveal sensitive information. In this case, the emails contain a link to the website of a cybersecurity firm. The website does not appear to be malicious in nature, instead, the email appears to be a marketing ploy to get healthcare organizations to sign up for the firm’s services.

The firm uses the HIPAA compliance audits to lure email recipients into clicking on the link. The emails claim to be official communications about the current round of HIPAA compliance audits and the possible inclusion of the recipient’s organization in the audit program.

Samuels says in the OCR’s official email about the scam, “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.” Samuels also said OCR takes the unauthorized use of OCR material very seriously, although no mention is made about whether any action will be taking against the firm.

The warning was sent via email on November 28 and a follow up email was sent on November 30 providing further information about the scam. The second communication includes the email address that is beinbg used by the cybersecurity firm – a variation of the official email address used by OCR to communicate with healthcare organizations that have been selected for a HIPAA compliance audit.

OCR communicates with healthcare organizations about HIPAA audits using the email account – OSOCRAudit@hhs.gov. The fake emails from the security firm have been sent from the email account: OSOCRAudit@hhs-gov.us. This is a common tactic used by spammers and scammers to make their email campaigns appear genuine. In this case, the spoofed domain was registered on November 18, 2016 by a cybersecurity firm based in Miami, Florida.

The incident highlights how important it is for healthcare organizations to exercise caution when opening and responding to any official-looking email about HIPAA compliance. If in any doubt about the authenticity of an email from OCR relating to the HIPAA compliance audits, an email should be sent to OSOCRAudit@hhs.gov to confirm whether the email is genuine. If in any doubt about a domain, it is possible to conduct a check to find out the owner of the domain on whois.com.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On