On November 28, 2016, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a rare alert warning the public of an email scam masquerading as an official OCR audit communication. The alert addresses an emerging “phishing” scheme that targets employees of HIPAA covered entities and their business associates in an apparent attempt to market non-governmental cybersecurity services. Below we offer some brief guidance about the scheme and tips for what you can do to protect your company.

What the scheme is: “Phishing” emails are designed to steal money, information, or both from their targets. The emails usually appear to come from legitimate enterprises—in this case, OCR—but, when accessed, hyperlinks in the emails direct users to spoofed or fake websites designed to get users to divulge private information. Although the underlying goal of the scammers here is unclear, as a general matter, criminals who obtain such private information often attempt to commit identity theft or to sell obtained data to interested parties on the internet’s “black-market.”

What to watch out for: An email that appears to come from OCR, under cloned OCR letterhead, that prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The hyperlink directs users to a non-governmental website that markets, ironically, cybersecurity services. OCR’s alert emphasizes that the cybersecurity web page and services are in no way affiliated with HHS or OCR.

What to do now: Inform your employees to be on the lookout for the OCR Phishing Scam email, and remind them to remain wary of these types of emails generally. Also remind employees about any policies in place regarding sharing sensitive information. Set up a point of contact for employees to consult if they are in doubt about what to do, or what information they can share.

What to do if you receive one of these emails: Do not respond to the email. Do not download any files or images in the email. Do not click on any hyperlinks in the email. Add the sender to a blocked senders list and delete the email. If you have any questions as to whether an email is an official agency communication regarding a HIPAA audit, contact OCR at OSOCRAudit@hhs.gov.

What to do if you have responded to one of these emails or accessed hyperlinked material: If an employee has already responded to the OCR Phishing Email or accessed a hyperlink in one of these emails, we suggest you contact experienced legal counsel to aid in determining what information or systems may have been compromised, and what obligations, if any, you may have to notify impacted individuals and/or state or federal entities under various laws.