A fraudulent HIPAA postcard scam is being sent out, first-class, to healthcare organizations.
It has recently come to light that healthcare organizations have been receiving postcards appearing to be from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA. The postcard, addressed as “ATTN: HIPAA Compliance Officer,” directs recipients to call, email, or visit a website in regards to a mandatory security risk assessment. Further details on the false HIPAA OCR communication are discussed below.
Fraudulent HIPAA Communication: What Does the Postcard Contain?
The fraudulent HIPAA enforcement (OCR) postcard sent to healthcare providers seems to be coming from the Secretary of Compliance of the HIPAA Compliance Division. The problem is, there is no such entity. In addition, the fraudulent HIPAA postcard has a return address that, upon further investigation, belongs to a UPS store in Washington DC, although the postcard was actually postmarked in California. The OCR warned recipients, “Though the postage is marked first class, the mailer’s intent is not. In fact, it is another low-class act by scammers.”
The fraudulent HIPAA postcard looks like this:
What Happens When Recipients Visit the Listed Site?
The postcard from the fraudulent HIPAA communication lists a website that recipients can visit to complete their required security risk assessment. When recipients visit the listed site, the link does not direct users to a government website. It does, however, direct to a consulting service’s website. The fraudulent OCR postcard is not an OCR communication, but rather a sales attempt. What the consulting service likely failed to realize is that not only is impersonating a government entity unethical, it is also illegal.
What Actions Should Postcard Recipients Take?
Any entity posing as a government agency should be reported to the FBI. Reporting these fraudulent OCR communication incidents prevents further false communications from being sent in the future, thus preventing more organizations from being victimized by illegal business practices.