In a cruel twist of fate, health care entities are being phished using an OCR (HHS Office of Civil Rights) email as the bait. Here is the context: HHS/OCR is the governmental entity in charge of enforcing the HIPAA statutes. Back in May, we reported that OCR had started sending emails to Covered Entities and Business Associates asking them to affirm their status under HIPAA, and thus register them in the HIPAA audit pool. There are a few emails an entity can receive from OCR. The first one, asks the email addressee if he/she is the primary contact for the organization. After affirming, the addressee receives a second email to complete a screening questionnaire. From there, the registered entity may be selected to participate in the OCR HIPAA audit program.
An important element of HIPAA Security Rule compliance is to train end users not to fall for phishing and other social engineering scams. Doing so may lead to a data breach under the HIPAA Security Rule. The irony of this phishing attack is that it is targeted at HIPAA security officers.
On November 28, OCR issued this warning:
“It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.
The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.
In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.”
All end users are advised to be on the lookout for this email and should take standard precautions to determine the validity of any emails received. These precautions include, but are not limited to:
- Checking for spelling mistakes and broad language
- Hovering over a link to view the path to make sure it is correct
- Looking for malicious attachments
- Reviewing the address of the email sender
Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!