While the majority of social engineering and phishing attacks take place via email, social engineering tactics are also used to convince people to part with sensitive information via other communication channels, including the telephone. Once such campaign is now being conducted over the telephone to convince healthcare employees to divulge protected health information (PHI).

An individual claiming to be a HHS’ Office for Civil Rights investigator is calling healthcare providers to obtain the PHI of patients. The scam prompted OCR to issue a warning to healthcare providers over the weekend. The caller provides no information that can be used to verify the legitimacy of the call and an OCR compliant transaction number is not provided.

OCR has recommended healthcare providers and their business associates raise awareness of the scam with the workforce and to provide information on the correct course of action to take if such a call is received.

Healthcare employees should take steps to verify the identity that any caller requesting PHI. If a call from someone claiming to be an OCR investigator, healthcare employees should ask for their email address and ask for the request to be confirmed in writing via email from the OCR investigator’s hhs.gov email account. All OCR staff have an email address ending in @hhv.gov.

If an email is received, checks should be performed to confirm that the message has been sent from an official @hhs.gov email account and that the email address has not been spoofed.

OCR has requested any questions or concerns be directed to OCR via email – OCRMail@hhs.gov – and for any suspected cases of impersonation of OCR staff to be reported to the Federal Bureau of Investigation.

Posted By on Apr 6, 2020