For anyone receiving an email claiming they are being audited by the Office for Civil Rights (OCR), you may want to check with them directly, because it might be a phishing attack.
On November 28, the OCR sent out an email on their list serve stating that a phishing email that looks like an official OCR audit communication is being sent out to many Covered Entities and Business Associates.
The email suggests that the recipient will be included in a HIPAA audit and asks the recipient to click the link for more information. However, the link sends the recipient to an external website set up solely for the purposes of selling cybersecurity services by a business.
The OCR states that this business is not affiliated with them, and wants Covered Entities and Business Associates to be aware and to be prepared for such an email. It’s important to note that the OCR does not associate with or back any HIPAA service providers, so if a company says the HHS or OCR backs their services, they’re lying to you. The OCR also reminded people that if they ever have any questions about an email they’ve received from the OCR, they should contact the OCR directly at OSOCRAudit@hhs.gov.
The OCR also clarified that the phishing email is coming from the email address of OSOCRAudit@hhs-gov.us which is extremely close to the official email address.
This highlights the need to be wary of all emails that have an external link. Always check to be sure the link is taking you to the proper website. If you are unsure of how to do that, simply contact the sender directly through a separate email to an address you found on their website or already have through your business interactions.
Sign up with HIPAAgps today to learn more about some of the nefarious ways people try to get into your networks. If you would like to see the original email, plus contact us at firstname.lastname@example.org and someone will send it to you directly.