In the past few weeks, the government issued alerts and guidance on two noteworthy topics involving data security issues: phishing and ransomware – discussed below:

  • Don’t Get Phished: OCR Warns of Phishing Scheme Targeting HIPAA Covered Entities & Business Associates

As previously reported in the March 21, 2016 and July 12, 2016 Blog Posts, the 2016 HIPAA Audit Season has been underway for the better part of this past year. As stated on its website, “OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.” The OCR intends to use the audits as a proactive measure, in conjunction with its ongoing complaint investigations and compliance reviews, to identify problems before they result in breaches. On July 12, 2016, the OCR sent emails to 167 Covered Entities, including health plans, healthcare providers, and healthcare clearinghouses, advising that they would be subject to desk audits.

On November 28, 2016, the U.S. Department of Health and Human Services (“HHS”) issued an Alert advising that a phishing email is being circulated on what appears to be HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. According to the Alert, this email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services which is not associated with HHS or the OCR.

As in the case of any possible phishing email, HHS reminds the public that if you or your organization have any questions about whether the communication about a HIPAA audit is legitimate, you should contact the agency directly via email at

This advice applies to any suspicious email communication you or your organization may receive. It also serves as a reminder to review your policies and procedures and training materials to ensure that your employees do not fall for the phishing bait and expose your organization to intrusions.

  • FTC Joins the Chorus on Responding to Ransomware

In August 2016, the Office of Civil Rights (“OCR”) issued a Fact Sheet: Ransomware and HIPAA, which was followed by a U.S. Government Interagency Report entitled “How to Protect Your Organizations from Ransomware”. These materials provided “best practices and mitigation strategies focused on the prevention and response to ransomware incidents.”

In early September 2016, the Federal Trade Commission (“FTC”) announced that it too would offer guidance on how to protect against ransomware and would take action against those that failed to protect consumer’s personal data.

Fulfilling its promises, on November 10, 2016, the FTC issued advice on how to defend against ransomware. This follows the FTC’s session on ransomware that is part of its Fall Technology Series. The FTC noted an uptick in ransomware attacks and that 91% of these attacks come from phishing emails. The FTC also provided guidance on the answer to the question that everyone has: do you pay the ransom? Following the advice of law enforcement, the FTC advises not to pay the ransom, but notes that the decision to pay is a business decision. It does caution that the payment of the ransom may signal to the hackers that the business does not have a back-up or other access to the hacked data and therefore may increase its ransom demand.