Cyber criminals are going back to basics by targeting healthcare organizations via post. This is the latest in a string of inventive attack methods leveraged throughout the Covid-19 pandemic.
A recent warning from the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) flagged this new tactic, in which victims receive a postcard via physical mail claiming to be from HHS/OCR. Recipients are informed that they must participate in a “Required Security Risk Assessment” and are directed to send their assessment to “hsaudit.org”—a fraudulent link that takes them to a non-governmental “marketing consulting” website.
Umbrella would like to inform all clients of this latest threat, and emphasise that this communication is not associated with HHS/OCR and should be ignored. Please alert your workforce to prevent any damage and to remain in compliance with HIPAA regulations.
As healthcare organizations continue to be targeted, you must remain vigilant of fraudulent websites or senders. Remind your practice administrator or security officer that hackers have used email, phone calls, SMS messages, and now direct mail to trick users.
The addresses for OCR’s HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and any official OCR address or email address will end in “@hhs.gov”.
If you have any concerns, please don’t hesitate to contact us, and if you believe you have been targeted by someone posing as federal law enforcement, we can help you report the incident to the Federal Bureau of Investigation.