As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.

On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address [email protected] and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, [email protected], noting that such subtlety is typical in phishing scams.

OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits. For more information about the Phase 2 audit program please visit our earlier post.