Don’t Get Caught by Phishing this Holiday Season

November 29, 2016

By Jennifer M. Hart

On November 28, 2016, the Department of Health and Human Services’ Office of Civil Rights (“OCR”) issued an alert concerning a “phishing” email using OCR’s letterhead and Director Jocelyn Samuels’s digital signature. This hyper-realistic email is being sent to covered entities in an effort to con recipients into clicking a link regarding inclusion in an official OCR audit program. Instead, the link takes users to a sign up page for a cybsersecurity firm. While this email appears to be a mere marketing scheme and not a malicious attack, it serves as a critical reminder to all providers to remain vigilant about training employees on how to spot and not respond to these types of emails.

Cyber security is the number one threat to most businesses today, and health care providers are no exception, especially given the enforcement authority of OCR for HIPAA violations. Cybercriminals are growing more and more clever and sophisticated with their efforts to obtain data from companies of all sizes. Unfortunately, the question isn’t if you will be breached, but when. Being prepared for that breach and training your employees is critical to your ability to recover and to prevent massive fines and even class-action lawsuits under state law.


  • 30% of phishing messages were opened by users
  • 45% of visitors gave information to well designed phishing websites
  • 13% of users who opened phishing messages went on to open malicious attachments or click on link
  • 2 minutes is the average amount of time between receipt and the first person opening a phishing email


In December of 2015, CMS announced it had settled with University of Washington  Medicine (“UWM”) for $750,000 on charges that UWM had violated the HIPAA Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. The breach affected 90,000 individuals and was the direct result of a single employee falling victim to a phishing email. The employee accidentally downloaded malware onto an IT system that housed ePHI. OCR’s resulting investigation revealed potential Security Rule violations because UWM did not ensure all of its affiliates were properly conducting risk assessments and appropriately responding to the identified risks.


It is more important than ever that your mandated HIPAA risk assessments include conducting training for employees on how to identify and respond (that is not respond) to phishing emails. In its recent fact sheet on Ransomware and HIPAA, HHS specifically called out “training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections” as a covered entity’s obligation under the HIPAA Security Rule.

KJK partners with several cyber security experts to assist our clients in designing phishing email tests and setting up mandatory employee training. If you would like to take advantage of this program, please contact Mark Rasch at mdr@KJK.com