Beware of Fraudsters Posing as Government Investigators to Obtain Protected Health Information

Hinshaw & Culbertson - Cyber Alerts

Risk Management Question

What precautions can law firms, along with their lawyers and staff, take when they receive an unexpected request for protected health information (PHI) from someone claiming to be a representative of the Office of Civil Rights (OCR) or the Centers for Disease Control and Prevention (CDC)?

The Issue

The U.S. Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) have warned about scammers posing as representatives from the OCR or CDC. The phony OCR Investigator may contact HIPAA-covered entities or their business associates to access PHI. The fake CDC representative may claim to have special information about COVID-19. These fraudsters prey on community fears and use threats of enforcement and fines to convince the unsuspecting individual to immediately provide the PHI of others.

Risk Management Solutions

Law firms and clients who maintain PHI should alert their employees about these scams and advise them to take the following actions:

  • Always ask for the caller's name, title, phone number, and email address.
  • Ask for an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.
  • According to HHS, an OCR investigator's email address will end in If the caller provides a different domain name, it's a scam.
  • Ask the caller to provide a confirmation email from a legitimate government email address.
  • Verify the caller's identity and role by calling the main number listed on the website of the governmental entity they are purportedly from.
  • Train employees to report suspected scams to a specific department within your firm and refrain from further communication with the caller until a supervisor has confirmed the request is legitimate.

Additional tips from the FBI:

  • Do not open attachments or click links within emails from senders you don't recognize.
  • Do not provide usernames, passwords, dates of birth, social security numbers, financial data, or other personal information—whether it be yours or someone else's—in response to an email or robocall.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or wrong domains within a link (e.g. an address that should end in ".gov" ends in ".com" instead).
  • Suspected incidents of individuals posing as federal law enforcement should be reported to the FBI.

Always think before you click or answer the phone. Remember, let's be careful out there.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw & Culbertson - Law Firm Cyber Alerts | Attorney Advertising

Written by:

Hinshaw & Culbertson - Law Firm Cyber Alerts

Hinshaw & Culbertson - Law Firm Cyber Alerts on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.