OCR issues cyber-security and scam alerts amid coronavirus

Not only are healthcare providers under attack in the daily battle against the coronavirus, criminal actors are quickly taking advantage of relaxed  HIPAA enforcement and standards, teleworking and the general intensity of the situation to exploit patient and other confidential information. 

The Department of Health and Human Services, Office of Civil Rights (OCR)  issued an alert on Friday that an individual posing as an OCR Investigator has been contacting providers in an effort to obtain patient information. If your organization is currently under investigation, an OCR Transaction number and investigator have been assigned to the matter. OCR recommends that prior to providing information request a confirming email from the OCR Investigator’s email address.  If you have any questions, you may contact the OCR at [email protected]. 

Unfortunately, this is not the first instance and the bad actors have not been resting. Since the beginning of the emergency, and particularly with more frequent use of Facetime, Zoom and other readily available methods for conducting work remotely, there has been a marked increase in hacking incidents. According to Check Point Research (https://blog.checkpoint.com/2020/03/19/covid-19-impact-as-retailers-close-their-doors-hackers-open-for-business/), cyber-criminals are actively establishing dark net “stores” marketing malware and hacker services. Not even the Department of Health and Human Services (HHS) is immune. On March 16, HHS was the target of a campaign of disruption and disinformation aimed at undermining the COVID response and slowing government systems. HHS reported the attack was unsuccessful.    

OCR provided a warning and advice (https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams) on March 18 from the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA).  CISA warned of increased cyber-attacks through social engineering and phishing, recommended enhanced vigilance and the following: 

• Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments (https://www.us-cert.gov/ncas/tips/ST04-010) and Avoiding Social Engineering and Phishing Scams (https://www.us-cert.gov/ncas/tips/ST04-014) for more information.

• Use trusted sources—such as legitimate, government websites (https://www.cisa.gov/coronavirus) —for up-to-date, fact-based information about COVID-19.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
• Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams (https://www.consumer.ftc.gov/articles/0074-giving-charity) for more information.
• Review CISA Insights on Risk Management for COVID-19 (https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_insights_risk_management_for_novel_coronavirus.pdf) for more information.

Although, there are waivers and OCR enforcement discretion related to certain HIPAA standards, there remains the HIPAA obligation to maintain the security of patient information and, in the event of a breach, follow HIPAA (and applicable state) breach notification requirements.