The phishing email disguises itself as an official communication from OCR. It directs recipients to a non-governmental website marking a firm’s cyber security services.
The email letter uses the name and signature of OCR Director Jocelyn Samuels. It is targeting both covered entities (CEs) and business associates (BAs). The most important thing you need to know is that the correct OCR email address is: OSOCRAudit@hhs.gov
This is the only email address OCR will use to communicate with covered entities (CE) and business associates (BA).
The incorrect email address is OSOCRAudit@hhs-gov.us. Note the difference between the two email addresses:
- There is not hyphen in the correct OCR email address,
- Nor does it include the US as in the incorrect email address.
The incorrect address directs a CE or BA to a URL that is not one of the OCR webpages, but to an outside business.
OCR DOES NOT approve, name, recognize or endorse any outside firm to do OCR’s audit or any other enforcement work.
If you receive one of these emails, or anything similar, I suggest you immediately contact OCR at OSOCRAudit@hhs.gov. I also suggest that you DO NOT test the URL that is not an OCR URL.