OCR Warns of Fake HIPAA Audit Emails'Phishing' Allegedly Related to a Marketing Campaign
The Department of Health and Human Services has issued a warning to healthcare sector organizations about a phishing email campaign that pretends to be HIPAA compliance audit communications from HHS' Office for Civil Rights.
In a Nov. 28 email alert, OCR says that its officials have been made aware that a phishing email is being circulated on "mock" HHS departmental letterhead under the signature of OCR Director Jocelyn Samuels. The fake email appears to be an official government communication, and targets employees of HIPAA-covered entities and their business associates, Samuels says in the OCR alert.
The phishing email prompts recipients to click a link regarding possible inclusion in the HIPAA privacy, security, and breach notification rules compliance audit program, which is currently underway by OCR.
No Hackers Involved?
However, unlike most phishing emails that are often sent by potential hackers seeking a way to access the recipients' IT systems and network, OCR says the phishing email appears to be have been sent as part of a marketing scheme by a security services firm.
"The link directs individuals to a non-governmental website marketing a firm's cybersecurity services," OCR notes in its alert. "In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights," Samuel says in the alert. "We take the unauthorized use of this material by this firm very seriously."
An OCR spokeswoman declined to comment further to Information Security Media Group on the situation prompting the agency's alert, including declining to identify the security firm that sent out the allegedly misleading email or whether OCR or another government agency will take enforcement action against the firm.
The spokeswoman did explain, however, "that official communications regarding the HIPAA audit program are sent to selected auditees from the email address 'OSOCRAudit@hhs.gov.'"
In further clarification issued by OCR on Nov. 30, the agency explains that the "phishing email originates from the email address 'OSOCRAudit@hhs-gov.us' and directs individuals to a URL at 'http://www.hhs-gov.us'. This is a subtle difference from the official email address for our HIPAA audit program, 'OSOCRAudit@hhs.gov,' but such subtlety is typical in phishing scams."
OCR also reminds organizations that in the event they have a question as to whether they have received an official communication from the agency regarding a HIPAA audit, covered entities and business associates should contact OCR at the agency's official audit email address, OSOCRAudit@hhs.gov.
During OCR's "phase-two" audits currently underway, the agency is remotely assessing HIPAA compliance of 167 covered entities and between 40 and 50 business associates.
Those remote "desk audits" will be followed by an undisclosed number of on-site audits of randomly chosen covered entities and business associates in the first quarter of 2017, OCR officials have said.
In total, OCR plans to complete a total of about 250 desk and on-site audits. These phase-two audits follow 115 audits that OCR conducted in 2011 and 2012 during the launch of its phase-one, or pilot, audit program.
Some privacy and security experts say that due to the way OCR actually is notifying and confirming contact information for organizations chosen for HIPAA compliance audits - through email communication - the stage has been unfortunately set for potential phishing campaigns by fraudsters.
"OCR's decision to contact covered entities and business associates via email and confirm contact information has pros and cons," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"In phase one of the audits, OCR sent letters via hard copy to the address they had on file, with the result that letters often sat in the wrong person's mailbox for long stretches of time," he notes. "The use of email to verify contact information minimizes that risk. But there have been concerns from the start that the use of email could lead to phishing attempts such as this," he says.
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says that OCR's decision to send out its audit communication by email was intended to optimize productivity. "In this era of scarce government resources and heightened oversight pushing agencies to do more with less, you can't really fault OCR for using electronic correspondence to covered entities and business associates as part of the HIPAA audit program," he says.
"While it is important for HIPAA covered entities and business associates to monitor for receipt for communications from OCR, it's good practice to carefully scrutinize any email claiming to be from any government office to ensure it is legitimate."
Be on the Lookout
Greene also suggests that all healthcare-sector organizations be on the lookout for suspicious communications purportedly sent from HHS, but especially emails related to audits.
"First, double-check the URLs before clicking on them," he says. "In this case, if you hover over - without clicking - the links in the email, the URLs that appear do not go to an 'hhs.gov' domain. It's also helpful to look for suspicious discrepancies," he says. For example, the emails in this phishing exercise purporting to be from "@hhs-gov.us" rather than "@hhs.gov," he notes.
"But you cannot rely on other phishing attempts having similar mistakes," he warns. "Accordingly, checking the URL may be the best defense. If you have any doubt, such as because of the URL, a spelling mistake, or timing that's inconsistent with OCR's announced schedule for the audit program, contact OCR to confirm authenticity before opening."
Some experts note that OCR isn't the first government agency to be the purported sender in mock email schemes. "There is a long sad history of scammers pretending to be government officials," Holtzman notes. "These imposters have employed a variety of tactics using postal mail, telephone calls, faxes and emails, most often to get the unsuspecting to send money." The Federal Trade Commission has advice on spotting, beating and reporting scams involving government imposters, he adds.
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes that the sky is the limit on what fraudsters are willing to do.
"There are phishing scams in connection with anything that a person reasonably could expect to see," he notes. "That's the point - you open something you are expecting. The IRS has had these issues for years - some of theirs even involve phone calls and more aggressive tactics," he says.
"Usually, a little digging can tell you if it is legitimate. The problems happen when people respond without doing any checking," Nahra adds. "Since you will only be getting - at most - one OCR email [for a real audit notification], it is pretty easy to check."