Instead of typical phishing emails involving a hack, one IT security firm based out of Miami, Florida is posing as HHS as a part of its marketing efforts. Emails sent from the account appear to steal legitimate HHS letterhead and conclude with a fraudulent use of OCR Director, Jocelyn Samuels’ signature.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email.
“The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services,” OCR notes in its announcement. “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights,” said Samuels. “We take the unauthorized use of this material by this firm very seriously.”
If you or a member of your organization receives an email or call from an entity claiming that you need to have a:
“Mandatory HIPAA Risk Assessment Review with a Certified HIPAA Compliance Adviser”
Be advised that this is not a legitimate notice form any federal or state regulatory agency. You should not feel obligated to provide or share any information with these organizations if you receive such notice. There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or fraudulent language.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will only contact you directly via a certified letter or email.
These fraudulent emails are being sent from ‘OSOCRAudit@hhs-gov.us‘, while a legitimate OCR email will be sent from ‘OSOCRAudit@hhs.gov‘. The distinction is subtle, but that’s characterstic of scams such as these.
This kind of fraud is a growing trend being executed by some security and compliance companies in the health care space. Being equipped with the right tools can protect you and your organization from being scammed.