Fraudulent OCR email targets HIPAA-covered entities

The U.S. Department of Health and Human Services on Nov. 28 issued an alert regarding a phishing email that is currently circulating on mock HHS departmental letterhead with a signature from Office of Civil Rights Director Jocelyn Samuels.

HHS notes that the email “appears to be an official governmental communication, and targets employees of HIPAA covered entities and their business associates.” The email “prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program” and then directs recipients to a nongovernmental website that markets a firm’s cybersecurity services.

Phishing is a type of fraud committed by criminals seeking to obtain financial or other confidential information from an online user by posing as a legitimate institution or organization. Users are often directed to a fraudulent website that mimics a legitimate website.

The HHS stresses in the alert that neither the email nor the firm referenced in the email is associated with HHS or the OCR, and asks that individuals who believe they may have received this fraudulent email to contact HHS.

Related Items

Organizations of all types and sizes are vulnerable to cyberattacks. The fraudsters that perpetrate these crimes do not discriminate, and they are becoming increasingly organized and sophisticated.