Phishing Email Disguised as Official OCR Audit Communication

The U.S. Department of Health and Human Services' (HHS') Office Civil Rights (OCR) has informed the public that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR's Director, Jocelyn Samuels

This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm's cybersecurity services. In no way is this firm associated with the HHS or OCR.  

The most recent phishing email and website addresses ended with "hhs-gov.us" and should be avoided. Official OCR and HHS communications tend to end with "hhs.gov," such as "OSOCRAudit@hhs.gov" or "http://www.hhs.gov."

If you have any questions as to whether your practice has received an official communication from HHS or OCR regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.