ALERT: Phishing Email Disguised as Official HIPAA OCR Audit Communication

By Jim Martin, Vice President of Security and Compliance

HHS reports a phishing email is being circulated using a mock HHS Department letterhead. The phishing email appears very official, and bears the signature of the Office of Civil Rights (OCR) Director, Jocelyn Samuels.

The attackers are targeting employees of HIPAA-covered entities and their business associates.  Since OCR is the HHS office managing HIPAA audits, these privacy-sensitive professionals are likely to open such an email. 

The email asks the recipient to click a link that claims to provide information about possible inclusion in the “HIPAA Privacy, Security and Breach Rules Audit Program.”  Once clicked, the link directs individuals to a non-government website marketing a specific private sector firm’s cybersecurity services. HHS has not authorized any such use and is taking the unauthorized use of this material by this firm very seriously.

The quality demonstrated in this phishing attack provides an example that others may use, providing an attachment with a link to a virus, a web page with hostile code or simply providing a form for the recipient to complete “for the audit” to provide an attacker more information for social engineering. 

Risk Assessment 
We rate this potential threat as High to Maestro Health™, our employees and partners. This can easily be reduced to a Low risk with prompt education and awareness.  Please share this with your organization and help get the word out to all individuals that may be affected.

What You Should Do:

·      Should you or your organization have a question as to whether you have received an official communication from Maestro Health,. please contact your Maestro Health relationship manager directly.

·      Should you have a question about whether you have received an official communication from HHS, or OCR regarding a HIPAA audit, please contact HHS via email at

·      For more information regarding the HIPAA Privacy, Security and Breach Rules Audit Program please visit:

·      Sign up to receive HHS Privacy and Security alerts directly from HHS, which we highly recommend at