On November 28, 2016, the Office for Civil Rights (OCR) released a bulletin alerting covered entities and business associates of a phishing email scam that is circulating. Please read the contents of the notice below, and be alert for a possible phishing email that you could receive.
It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.
The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.
In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.”
OCR would like to further share that this phishing email originates from the email address OSOCRAudit@hhs‑gov.us and directs individuals to a URL at http://www.hhs‑gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.
If you receive an email, and are unsure whether it is from OCR, check the sending email address. If the email is legitimately from OCR, the sending email address will end with @hhs.gov. Email notices from OCR regarding its audit program have generally come from the OSOCRAudit@hhs.gov email address. Contact Eagle Associates, Inc. at (800) 777-2337 or via email at firstname.lastname@example.org if you have any questions.