Phishing Email Alert
Recently, a phishing email disguised as an OCR Audit Communication was circulated targeting employees of HIPAA Covered Entities and Business Associates. Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Phishing is typically carried out by email or instant messaging, and it often directs users to enter personal information at a fake website whose look and feel are almost identical to the legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Additionally, phishing emails may contain links to websites that are infected with malware.
The most recent phishing concern of OCR is that its letterhead for HHS Office for Civil Rights was used along with the signature of OCR’s director Jocelyn Samuels. OCR released a statement stating the email appears to be an official governmental communication. The email specifically prompts recipients to click a link regarding the possible inclusion in HIPAA audit programs. The link then directs clickers to a non-governmental website that markets cybersecurity services that are unaffiliated with HHS or OCR. OCR pronounces this use was unauthorized and advises anyone with questions about an audit communication from OCR to contact them via email at OSOCRAudit@hhs.gov.
Phishing attacks can be very costly to a Covered Entity or Business Associate because of the malware potential and the loss of company security and reputation. With the ever changing landscape of the internet, Covered Entities and Business Associates must be vigilant in their cyber security so that a HIPAA incident does not occur. A best practice to mitigate phishing attempts is to contact the entity directly regarding an unexpected email to verify it is legitimate, or verify the web and/or email address is valid for the entity prior to entering any information.