The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an alert this week warning of an email scam currently targeting employees of HIPAA-covered entities. The bogus emails appear very similar to an actual sample letter posted by OCR related to its legitimate HIPAA Privacy, Security and Breach Notification Audit Program (HIPAA Audit Program), except the fake emails prompt recipients to click a phony link to an unrelated website that markets cybersecurity services. The firm is not related to HHS or OCR, and those agencies recommend you contact them directly to determine if they sent any official correspondence to your company.
First, let's all acknowledge the tragic irony of exposing HIPAA protected information because of phony HIPAA audit program correspondence. It is, however, a pretty common strategy. Most of these scams attempt to scare users so they will hastily click a malicious link. For example, say you get a message that appears to be from your bank that reads, "We recently closed your account per your request. If this is incorrect, click here."
"WAIT A MINUTE?!" you may think. "I didn't close my account. I should click here and get this straightened out right away. Ok, I see all I need to do to clear up this matter is enter my social security number, my birthday, my mother's maiden name, my favorite pet's name, and the model of my first car...seems reasonable."
GOTCHA!
First, let's all acknowledge the tragic irony of exposing HIPAA protected information because of phony HIPAA audit program correspondence. It is, however, a pretty common strategy. Most of these scams attempt to scare users so they will hastily click a malicious link. For example, say you get a message that appears to be from your bank that reads, "We recently closed your account per your request. If this is incorrect, click here."
"WAIT A MINUTE?!" you may think. "I didn't close my account. I should click here and get this straightened out right away. Ok, I see all I need to do to clear up this matter is enter my social security number, my birthday, my mother's maiden name, my favorite pet's name, and the model of my first car...seems reasonable."
GOTCHA!
Once you click on the bad link or enter your sensitive information into a malicious website, your entire network is susceptible to viruses, ransomware and other forms of hacking.
This scam is particularly tricky because it copies legitimate correspondence from OCR that also contains links. To be clear, I would not click on those links, either. Instead, you can verify the correspondence by going to the OCR website manually and using contact information obtained independently of any links in the questionable email message.
If you retain nothing else from this article, remember this: do not click on any links in any email message. If you must, then only click on verified links in expected messages from trusted sources.
If you want more information on how to educate your staff and help protect your company from phishing scams and other security threats, consider the MiraVista on-demand training DME Security: Keep Current Without Breaking the Bank.
This scam is particularly tricky because it copies legitimate correspondence from OCR that also contains links. To be clear, I would not click on those links, either. Instead, you can verify the correspondence by going to the OCR website manually and using contact information obtained independently of any links in the questionable email message.
If you retain nothing else from this article, remember this: do not click on any links in any email message. If you must, then only click on verified links in expected messages from trusted sources.
If you want more information on how to educate your staff and help protect your company from phishing scams and other security threats, consider the MiraVista on-demand training DME Security: Keep Current Without Breaking the Bank.