OCR Phishing Scam: Reminder to Use Caution

On November 28, 2016, the Office for Civil Rights for the Department of Health and Human Services issued an alert notifying providers of a “phishing” email.  According to the alert, the email is being circulated on fake HHS Departmental letterhead under the signature of Jocelyn Samuels, the OCR Director.  Recipients are prompted to click on a link regarding the HIPAA Audit program, however the link takes individuals to a non-governmental website which markets a private firm’s cybersecurity services.  The OCR emphasized in the Alert that the firm is in no way affiliated with the Department of Health and Human Services or the OCR.

This alert is a good reminder to use caution when responding to unsolicited emails or letters claiming to be from governmental agencies.  Although the goal of this particular scam appears to be inappropriate marketing, such scams could also be used in attempts to access protected health information.  Because the OCR does communicate with providers through email and often utilizes the services of contractors with unfamiliar names, it can be very difficult to determine the authenticity of communications from OCR and other agencies.  Providers should take reasonable steps to confirm the authenticity of any communications especially if such communications request a response that involves protected health information or other sensitive information.

Speak Your Mind

*