OCR Alert: Phishing Email Disguised as an Official OCR Audit Communication

November 29, 2016 Jana Langhorne

The Department of Health and Human Services, Office for Civil Rights (OCR) recently sent an advisory warning HIPAA covered entities and business associates of a phishing scam that masquerades as notification that their organization has been selected for a compliance audit. The email appears to be legitimate at first glance, as it is on HHS letterhead and includes Director Samuels’ signature. Below is OCR’s notice alerting of the danger and steps to take if you receive this type of email.

“It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels.  This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program.  The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.  We take the unauthorized use of this material by this firm very seriously.  In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.”

CynergisTek recommends that you practice caution if you receive a similar email. As a reminder, there are several actions you can take to confirm the legitimacy of any email.

  • Does the “from address” actually match the real sender’s address? Sometimes attackers mask the actual sending address in order to appear legitimate from just a passing glance.
  • Is this an urgent message? Attackers know you are more likely to follow a link if it seems urgent or carries a tone of importance. Messages declaring short response timeframes or displaying symbols of authority should be treated with greater suspicion.
  • Does your name appear in the message? Spear phish are more work to create, so generic messages sent in large batches are more common. Correspondence of importance rarely comes without legitimate identifying information about you.
  • Is the content properly formatted and written? Many times messages originate from countries where authors might not be familiar with proper English syntax and spelling.
  • Do search engine queries on the sender’s signature line information (phone numbers or address) provide verification? While errors caught by this method only identify poorly researched phish, it is still a method of elimination.
  • Does the link support encryption? Look at the beginning of the link to see if it is encrypted (https://…) before you click it. Few vendors, third parties or internal resources want protected information such as passwords submitted over unencrypted websites.
  • Is the message asking for important information? Treat requests for account details with intense suspicion. Security or administrators often have access to account details and they do not need them from you. Reiterating and underlining, passwords should never be given out.
  • Does the text of the link match the actual link? Hover over links to display the actual intended destination because what appears to be domain.com could be something else entirely.
  • Has the link been shortened? Link shortening services sometimes mask the address of a phishing link. Expand these URLs using web resources (e.g., LongURL.org) if they appear suspicious.
  • Is the message requesting a file download? Attachments with common extensions should be treated with extreme suspicion before clicking them (e.g., .exe, .doc, .xls, .pdf, .zip, etc.).

Want to test your organization’s ability to identify a phishing email? Learn more about the social engineering and phishing assessments we offer.

Previous Video
What's HIM's Role in HIPAA Privacy and Security?
What's HIM's Role in HIPAA Privacy and Security?

While at AHIMA 2016, Healthcare Scene talked with Mac McMillan, CEO and Co-Founder of CynergisTek, about th...

Next Article
UMass HIPAA Settlement is a Clarion Call to Colleges and Universities
UMass HIPAA Settlement is a Clarion Call to Colleges and Universities

The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights ...