Entities receiving an email on HHS Departmental letterhead under the signature of the HHS Office for Civil Rights (OCR) Director Jocelyn Samuels were alerted that the letter could possibly be part of a phishing expedition to breach data systems. The email appears to be an official government communication and targets employees of HIPAA covered entities and their business associates (BA). BAs should be especially careful as the OCR has begun to notify select BAs of their inclusion in the Phase 2 HIPAA audits.
The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. This firm is not associated with the OCR.
The OCR stated that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov. Subtle changes are typical in phishing scams and can lead to additional data breaches. For instance, the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data found that health care organizations’ and their business associates’ total data breach costs were approximately $6 billion (see We need a bigger boat: Whaling, the latest threat to cybersecurity, April 28, 2016.).
MainStory: TopStory GeneralNews HIPAANews ComplianceNews HITNews CyberPrivacyFeed
Interested in submitting an article?
Submit your information to us today!Learn More