Private company uses government email address for marketing

The HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, is warning of a phishing email being sent to healthcare organizations and purported to come from OCR.

The email has a mock HHS department letterhead under the signature of OCR Director Jocelyn Samuels, and appears to be legitimate. It prompts recipients to click on a link that indicates the recipient may be selected for a HIPAA audit, but the link goes to a private cybersecurity firm marketing its services.

Also See: Why OCR is turning up the heat on business associates

The cybersecurity firm, which OCR is not identifying, has no association with the agency.


“We take the unauthorized use of this material by this firm very seriously,” OCR says in an alert email released to the industry. “In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at

OCR is unable to comment further on the incident, according to a spokesperson, who notes that official communication of a HIPAA audit also comes from the same email address.

For reprint and licensing requests for this article, click here.