Alert: Phishing Email Disguised as Official OCR Audit Communication

Alert: Phishing Email Disguised as Official OCR Audit Communication

Phishing Scam Alert November 28, 2016

Healthcare Compliance Pros has received the following communication from the OCR:

"It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR's Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm's cybersecurity services.

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at [email protected]."

If you have additional questions regarding HIPAA Privacy, Security, and Breaches, please contact Healthcare Compliance Pros via email at [email protected].

What Is a Phishing Scam?

Healthcare organizations need to be aware of phishing scams as they do pose a serious security threat. Phishing scams are normally sent via email that appear to come from a legitimate source. Phishing scams typically ask you to to click on a link to confirm your identity or to divulge private information (credit card, social security number, passphrase, etc). If you do click on the link and confirm this information, perpetrators now have access to your private information and will use it to commit identity theft.

Staying Safe Against Phishing Scams

How can you protect yourself and your staff against phishing scams? It is important to remind everyone that reputable organizations will never use email to request a reply with confidential information including your full Social Security number, credit card, and password to various programs. Always be suspicious of emails asking for personal information by clicking through a website.

If you do click on an email, and immediately recognize it as phishing, contact your IT department immediately. When you allow your mail client to read HTML, attackers can take advantage of the mail client's ability to read code, which makes your computer vulnerable to viruses and other threats. If you receive a phishing scam email, delete it immediately and empty it from your deleted items folder to prevent the email from being accessed and sending you to spam sites.