On November 28, 2016, the Office for Civil Rights (OCR) issued an Alert to its listservs that a phishing email is being circulated on “mock HHS Departmental letterhead under the signature of OCR”s Director, Jocelyn Samuels” to employees of HIPAA covered entities and business associates.

The email looks official and tells the recipient that it is the subject of the new HIPAA Audit Program and to click on a link in the email. The link goes to a “non-governmental website marketing a firm’s cybersecurity services.”

The OCR is warning covered entities and business associates that the cybersecurity firm that sent the phishing email is not associate with the OCR and that it is taking the matter “very seriously.”

If any of your employees have received the fake email, or has a question about whether a communication about a HIPAA audit is actually from the OCR, you should contact the OCR by email at OSOCRAudit@hhs.gov.

Impersonating a federal enforcement agency as a marketing strategy might be worth reconsideration for that cybersecurity firm.