Sometimes an alleged HIPAA audit isn't an actual HIPAA audit. Indeed, healthcare organizations and their partners should be on the lookout for phishing emails that allegedly involve HIPAA audits. In reality, the illegitimate emails could be an attempt to steal personal information.
The Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services (HHS), issued a warning about the phishing attempts on November 28, 2016. At the time the OCR stated:
"It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously."
The OCR goes on to describe specific email addresses and websites that could be cause for concern.
Yes, Real HIPAA Audits Are Increasing
Hackers timed their HIPAA-focused phishing attacks at an opportune moment. The OCR indicated in September 2016 that HIPAA compliance audits of business associates would increase in October 2016.
Organizations such as The Compliancy Group have been helping MSPs and other types of channel partners to safeguard their businesses from HIPAA issues. Still, some organizations within and across the healthcare industry have been caught with their guard down.
Multiple sources say the HIPAA phishing emails circulated again in early December 2016, and some pundits now worry that the attacks will shift from data theft to ransomware attempts. Most of the major IT security and backup providers within the MSP market have been launching products and services to help mitigate the growing ransomware threat.