What’s worse than receiving an email indicating that you have been selected for an audit by your favorite government regulator? Clicking on a link in the email and discovering that it is a phishing attack that has just compromised your computer and your network. HIPAA covered entities and their business associates should beware of potential phishing attacks being conducted that appear to be official messages from the Office for Civil Rights of the Department of Health and Human Services (“OCR”).

Recently, OCR warned entities of an apparent phishing email that has been sent out with seemingly official letterhead and carrying OCR Director Jocelyn Samuels’ signature.  This email claims to be associated with OCR’s HIPAA Privacy, Security, and Breach Audit Program and prompts recipients to click a link, disguised to appear to be part of the audit program, but which instead directs the recipient to a website marketing a firm’s cybersecurity services.  Although that firm does not appear to have malicious intent behind its email, the firm is not in any way affiliated with OCR, and the email highlights a potential danger with the HIPAA audit program’s use of email for official communications.

During the first phase of the HIPAA audits, many a hard copy OCR letter wound up being sent to the wrong mailboxes or wrong persons within an organization, generally because OCR used the contact information it had on file, which may have become outdated.  OCR sought to remedy this problem by using email to verify contact information.  And OCR continued to use email for its other audit communications as well.  This use of email has raised concerns of phishing attempts since its announcement.  Although it appears that, in this instance, the emails were simply part of a marketing ploy, other entities or individuals may use similar tactics in the future to improperly gain access to a recipient’s information and network.

OCR cautions that all official correspondence for the HIPAA audit program comes from “OSOCRAudit@hhs.gov” and that the correct URL for OCR is “http://www.hhs.gov/”.  The phishing email, by contrast, originated from the deceptively close email address “OSOCRAudit@hhs-gov.us” and directed users to the URL “http://www.hhs-gov.us”.  Therefore, before clicking on any links, recipients of emails claiming to be from OCR regarding the HIPAA audit program should first confirm that:

  • the correct originating email address is used,
  • any clickable links go to trustworthy URLs,
  • the timing of the email is consistent with OCR’s announcements on the timing of the audit program, and
  • no questionable spelling mistakes appear in the email.

When in doubt, OCR suggests that recipients direct all questions regarding veracity of emails to OSOCRAudit@hhs.gov before opening.