The federal Office for Civil Rights (OCR) has issued a statement about a recent phishing email that was disguised as an official OCR audit communication.

The email was circulated recently on mock Health and Human Services (HHS) departmental letterhead under the signature of OCR’s director, Jocelyn Samuels. The email appears to be an official government communication and targets employees of HIPAA-covered entities, such as WVU Medicine, and their business associates. 

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.

According to the OCR’s statement: “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at”

WVU Medicine Information Technology (IT) reminds employees to always validate the source of emails received.

Cyber criminals are becoming more sophisticated in their phishing email attacks, in this case, posing as a U.S. government agency and using the OCRs director’s name to make the email scam appear to be legitimate.

When reviewing emails always take the time to "think before you click." Informed WVU Medicine employees are the best defense against social engineering attacks.

Please report any suspicious emails to the IT Help Desk.