HHS Warns of HIPAA Email Phishing Scam

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently warned covered entities and their business associates about an email that disguises itself as an official communication from HHS. The email, commonly known as a phishing email, prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a nongovernmental website marketing a firm's cyber security services.

The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at www.hhs-gov.us. This is a subtle difference from the official email address for the HIPAA audit program, OSOCRAudit[at]hhs[dot]gov. Such deviousness is typical in phishing scams.

In no way is the firm associated with HHS or OCR. In the event that you or your organization have a question about the legitimacy of an apparently official communication from the agency regarding a HIPAA audit, please contact OCR via email at OSOCRAudit[at]hhs[dot]gov.

You can take steps to protect your practice from security and technology risks. Visit TMA's Ransomware and Cyber Security Resource Center for more information. 

Action, Dec. 15, 2016

Last Updated On

December 16, 2016

Related Content

HIPAA