The Office for Civil Rights (OCR) has published a warning over a new phishing scam disguised as a HIPAA-related email sent from the OCR itself. The email features a phony letterhead with the OCR's Director Joceyln Samuels, and is being sent to doctors, physicians and other covered entities along with their business associates. The email contains a link, asking the recipient to click for inclusion in the HIPAA Privacy, Security and Breach Rules Audit Program.
This link is bogus and does not take the user to any official HIPAA-related webpage. Rather, when clicked, it takes the user to a third-party website promoting a cybersecurity service. Officials believe this email campaign is a dubious marketing ploy designed to scare covered entities and business associates into buying cybersecurity services.
Of course, this email scam comes at a time when covered entities and business associates are already on edge. As you may know, the OCR is currently conducting its second round of HIPAA audits. This means many covered entities and business associates are working around the clock to ensure they are in full compliance with HIPAA and its respective Privacy Rule, Security Rule, and Breach Notification Rule.
When speaking about the phishing email scam, OCR Director Jocyln Samuels explained that neither the HHS nor OCR are associated with the firm responsible for the email. Furthermore, they take the unauthorized use of the OCR's material “very seriously.”
“In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights," said Samuels in the warning. "We take the unauthorized use of this material by this firm very seriously."
Samuels added that covered entities and organizations with questions pertaining to this email should contact the OCR directly at OSOCRAudit@hhs.gov. You should not attempt to reply to the phishing email, as it's not governed or otherwise monitored by the OCR.
Phishing emails have become a serious problem, with nefarious individuals and scammers using them to extract personal information from unsuspecting users. It's not just consumers who are being targeted, though. As revealed in this latest recent, even doctors and other covered entities are being targeted by phishing emails.
To recap, there's a phishing email being circulated to covered entities and business associates, asking them to enroll in the HIPAA Privacy, Security and Breach Rules Audit Program. While this email doesn't contain any malicious software, it promotes an unauthorized cybersecurity program that is not associated with the OCR or any other government entity.