Watch Out for a Fake OCR Audit Phishing Email: HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesOn November 28, the Department of Health and Human Services (“DHHS”) warned that a marketing campaign has been circulating a fake OCR audit phishing email on a mock DHHS departmental letterhead with the signature of the DHHS Office for Civil Rights (“OCR”) Director Jocelyn Samuels. The fake email appears to be an official government communication and targets HIPAA covered entities and business associates,

This email prompts recipients to click a link regarding possible inclusion in the HIPAA privacy, security, and breach notification rules compliance audit program, phase 2 of which is currently underway by OCR.

DHHS apparently does not believe that this attack was seeking information to commit identity theft but rather was a marketing scheme by a security services firm, although it did not identify the company.

DHHS noted, “Official communications regarding the HIPAA audit program are sent to selected auditees from the email address ‘’”

In further clarification issued by OCR on November 30, the agency explained that the “[fake OCR audit phishing email] originates from the email address ‘’ and directs individuals to a URL at ‘’ This is a subtle difference from the official email address for our HIPAA audit program, ‘,’ but such subtlety is typical in phishing scams.”

OCR also reminds organizations that, in the event that they have a question as to whether they have received an official communication from the agency regarding a HIPAA audit, covered entities and business associates should contact OCR at the agency’s official audit email address,

If you get a notification of an audit by DHHS from the official email address, please consider asking us for guidance as to how to respond. We do not charge for this level of queries.

Special thanks and credit to Marianne Kolbasuk McGee for her article “OCR Warns of Fake HIPAA Audit Emails: ‘Phishing’ Allegedly Related to a Marketing Campaign” in the November 29, 2016, issue of govinfosecurity at

seo by: k.c. seo