Thieves Are Hitting People in Times of Stress

HHS has published several warnings recently, including this statement on April 3rd, that businesses should be ever vigilant against imposters posing as HHS / OCR investigators.

April 3, 2020

Alert: Individual Posing as OCR Investigator

It has come to OCR’s attention that an individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI).  The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. 

HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.  If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI).  The FBI issued a public service announcement about COVID-19 fraud schemes at:

https://www.ic3.gov/media/2020/200320.aspx.

Why Are People Posing As HHS Investigators?

HIPAA Spells Fear

For most people who fall under the auspices of the Health Insurance Portability and Accountability Act, aka HIPAA, the terms instill a dread of burdensome policies and obscure reference documents and of punishment for failure to meet the rules. HIPAA penalties include massive potential monetary fines. In the most extreme cases, there is no legal dollar cap. And perhaps worse for individuals, the potential for jail time for violation.

Scams Operate on Fear

Many scam artists take advantage of fears that people may have. The IRS, FBI, or now, HHS / OCR is calling. When people are stressed or afraid, they often divulge information that they otherwise would keep private. The scammer questions tend to follow the line of creating the panic or stress, then requesting info from people – your name, account numbers, social security numbers, etc. These bits of data are the keys they want. These are the keys to create false identities, credit fraud, or simply to hack into online accounts and ultimately bigger prizes.

Stay Calm, Stay Professional

Investigators from any government agency don’t need to pressure people. They don’t need to and don’t tend to rush. If they are ever investigating a case, they are careful, diligent, and patient because they are after the truth. They know that rushing leads to incomplete data and more often, wrong data.

You can stay calm and professional, and know what if they contacted you, they know who you are. They don’t need you to reveal private data.

If you do receive questionable calls, emails, or personal visitors, check with the agencies. Remember this comment from HHS:

HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.