Skip to main content

Postcard Ruse Prompts a Warning to Providers from HHS OCR

Analysis  |  By Scott Mace  
   April 30, 2021

Bogus 'Required Security Assessment' originated from outside government, and healthcare orgs should alert their workers.

Social engineering took a new twist this week when a non-governmental website posed as the federal government and attempted to harvest sensitive information from healthcare organizations.

The ruse was revealed via a notice emailed to subscribers of the U.S. Department of Health & Human Services’ Office of Civil Rights (OCR) announcement mailing list.

"OCR has been made aware of postcards being sent to healthcare organizations informing the recipients that they are required to participate in a ‘Required Security Risk Assessment’ and they are directed to send their risk assessment to [the spurious website]," the OCR announcement stated. 'The link directs individuals to a non-governmental website marketing consulting services.'

OCR added that 'this postcard notification did not come from OCR or the U.S. Department of Health & Human Services. This communication is from a private entity—it is NOT an HHS/OCR communication. HIPAA covered entities and business associates should alert their workforce members to this misleading communication."

Covered entities and business associates can confirm that a communication is from OCR by looking for the OCR address or email address, which will end in, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator’s email address, according to OCR.

The addresses for OCR’s HQ and Regional Offices are available on the OCR website, and all OCR email addresses will end in

Organizations that have additional questions or concerns can send an email to

The OCR said that suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.

During the COVID-19 pandemic, criminals have focused in particular on financial relief and healthcare domains, according to the recently released fourth annual report by Keysight Technologies on cybersecurity.

Scott Mace is a contributing writer for HealthLeaders.

Tagged Under:

Get the latest on healthcare leadership in your inbox.