Healthcare News & Insights

OCR warns hospitals of new fraudulent email scheme

Hospitals may be gearing themselves up for potential HIPAA audits in the coming months. If you receive a message about being selected for an audit, be careful: The feds are warning of a scheme where scammers are trying to trick recipients into thinking they’re receiving official email communications from the Office of Civil Rights (OCR). 

magnified-hippaOCR discussed the basics of the possible “phishing” scheme in a news alert recently posted on its website.

Details of scam

In the scheme, emails were sent to covered entities and their business associates with a mockup of the official letterhead for the Department of Health and Human Services (HHS).

The messages said that the organization may be included in the HIPAA Privacy, Security and Breach Rules audit program, and the recipient must click a link for further information.

However, instead of directing people to the official HHS site for HIPAA audits, the link took users to the website for a third-party cybersecurity firm, which advertised its services to potential customers. OCR said it’s not affiliated with the company in any way, and it doesn’t endorse its services at all.

Because the site’s not endorsed by the feds, there’s no guarantee it’s a safe site for employees to visit. So staff members may inadvertently enter in information hackers could use to gain unauthorized access to networks and files, or at the very least, send employees more unsolicited sales messages.

Watch for right email

To complicate matters, OCR has said that it can notify hospitals via email of pending audits. And depending on your facility’s security settings, these messages may also end up classified as junk or spam. So it’s not wise for staff to simply delete or ignore any emails they receive that mention HIPAA audits.

But, just as with all email messages, verifying who sent the message before responding or clicking any links is essential. According to OCR, the return address for the company sending the fraudulent emails is, which ends in a .us extension. All official communications from OCR will come from, with no additional extensions or characters in the email address.

With that in mind, it’s key to let hospital staff know to be on the lookout for these subtle differences if they receive any emails about HIPAA audits.

It’s common for scammers to use a similar spelling to that of an official website or email address to deceive users and avoid detection. Let employees know that, if they’re unsure whether a message is legitimate, it’s better to double-check with a supervisor than to visit a third-party website that could compromise the hospital’s network.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind