Wish You Were Here!

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

It’s always nice to get a postcard from friends or family who are away on vacation. But this week we learned of a new kind of postcard being sent out with not-so-well wishes. The Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) sent out a warning that fraudulent postcards are being sent out, addressed to HIPAA Privacy and Security Officers with false information and instructions.

These postcards are being sent to healthcare organizations and are disguised as an “official government communication” with instructions to visit a website, call, or respond via email to take immediate action regarding HIPAA requirements. The fake postcard contains a return address located in Washington D.C. of the non-existent Secretary of Compliance’s office.

Details, including an image of the postcard, can be found on the (legitimate) website of the National Law Review.

Proceed with Caution
We are inundated with information. And with so much coming at us, it is very easy to glance quickly, assume it is safe, and make mistakes unknowingly. Unfortunately, you just can’t do that. There is no other way to say it, and to emphasize it any less would be doing an injustice to your business – and your patients. Cybercriminals will go to ANY lengths to get your data. They have printed up fake government postcards, taken the time to mail them, and now wait for even ONE person to take the bait. That is how valuable this information is. Do not take it lightly and do not think that “it can’t happen to you”.

Here are a few quick steps that you should take each time BEFORE you click or call:

  1. Review the website. A quick internet search can take you to the business or government site that you are trying to access – DIRECTLY rather than via an unsafe link, but make sure you are visiting the legitimate website. Scammers can duplicate websites and create URLs that are very close to the legitimate site, so always do a double-check.
  2. Do you know the person who sent you the communication? Is it their actual email address? In this case, the email would have the @hhs.gov suffix. Is their phone number and/or physical address legitimate? If you aren’t sure, do your research. Identify the legitimate contact details and call the office directly to verify that this is was a valid communication – don’t use the number provided!
  3. If the sender is asking for access or action to be taken that provides a gateway to more information, do a double, even triple check of what you are sending and to whom you are sending it to.

Consider yourself to be the gatekeeper of a treasure. How would you guard that information in the safest way possible? If you still aren’t sure, ask someone to double-check what you have found and do a simple search online to see if anyone else is questioning this potential scam. One simple mistake could be business-ending.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE