The U.S. Department of Health & Human Services (HHS) is warning of an email scam claiming to be notification of a potential HIPAA audit by the department's Office for Civil Rights (OCR). The scam email, which is on fake HHS letterhead and includes the signature of the OCR director, has a Web link that purports to be related to the HIPAA Privacy, Security, and Breach Rules Audit Program. Instead, the link takes readers to a "non-governmental website marketing a firm’s cybersecurity services," HHS said last week.
According to the HHS, the phishing emails have been sent from an "OSCORAudit at hhs-gov dot us" address. Note that the non-HHS email includes 1) a dash between "hhs" and "gov" and 2) ends in ".us."
The official HHS audit email address is OSOCRAudit@hhs.gov, and all legitimate HHS audit emails originate from the hhs.gov email, per the department.
If you have questions about this email scam or HIPAA audits, don't hesitate to contact a Plexus client service team member in Deer Park (847-307-6100), Chicago (312-606-4800), Dallas (972-770-5010) or Oklahoma City (405-840-3033).