The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has just issued an alert of a phishing email disguised as an official OCR audit communication. The OCR announced that a phishing scam is using HHS letterhead under the signature of OCR’s Director, Jocelyn Samuels. And this email meant to look like official OCR Audit communication.
According to OCR’s announcement, the email is targeting employees of HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. And the link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. This is just the latest of many high profile phishing scams that have been targeting the healthcare industry. These phishing attacks are the entry point for hacks like malware and ransomware. In the beginning of 2016 it was reported that 88% of all ransomware attacks were targeting healthcare providers. Phishing scams remain one of the top ways email gets hacked, because it targets the weakest link in any cybersecurity plan – people. This further emphasizes the need for covered entities and business associates to have strong procedures in place to help educate staff on phishing emails and other security risks. Risks can further be mitigated by implementing email filtering applications to protect inboxes, like that included in Paubox’s HIPAA compliant email solutions. The OCR encouraged organizations contact them if there is any question on the authenticity of official communication from the agency regarding HIPAA audits. Inquiries should be directed to the OCR via email at OSOCRAudit@hhs.gov.
SEE RELATED: New Information Regarding HHS Phishing Email Scam