The Department of Health and Human Services (HHS) is warning HIPAA covered entities and business associates about a phishing email that disguises itself as an official communication from HHS’ Office for Civil Rights (OCR) regarding its HIPAA audit program.
According to OCR’s alert, the phishing email appears to be an official government communication, and targets employees of HIPAA covered entities and business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA audit program. The link directs individuals to a non-governmental website marketing a firm’s cyber security services. This firm is not associated with HHS or OCR.
The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a nongovernmental website. This is a subtle difference from the official email address for the HIPAA audit program, OSOCRAudit@hhs.gov, but this subtlety is typical in phishing scams.
Covered entities and business associates should be aware of this issue and take note that official communications regarding the HIPAA audit program are sent from the email address OSOCRAudit@hhs.gov. If you have a question as to whether youhave received an official communication from OCR regarding a HIPAA audit, you should contact OCR via mail at OSOCRAudit@hhs.gov.