Fraud Alert: Scammers Sending Fake 'HIPAA Compliance' Postcards

Aug. 17, 2020

Fake postcards from a non-existent government agency are showing up in healthcare organizations’ mailboxes around the country, according to the federal Department of Health and Human Services and the Office for Civil Rights (OCR).

Earlier this week, the OCR alerted its entire contact database to these fraudulent postcards, which are disguised as official communications about the Health Insurance Portability and Accountability Act (HIPAA), the federal law that protects health information. The postcards, sent to HIPAA privacy and security officers, claim to be notices of a “mandatory HIPAA compliance risk assessment.”

The postcards direct recipients to visit a website link, call or email to take immediate action on HIPAA requirements. The website link directs individuals to a non-governmental website. Scams of this kind, called “phishing,” can allow the scammers to obtain sensitive information, especially if a recipient clicks a link. Doing so may inadvertently allow a scammer to enter their computer or network, gain private information and/or plant malware—which can have disastrous consequences.   

The postcards have a Washington, D.C., return address, and are sent from the non-existent “Secretary of Compliance, HIPAA Compliance Division.” An example of the fake postcards is shown on this page.

Importantly, the Office for Civil Rights does not send communication without an address from OCR itself, or an email address from OCR that has an @hhs.gov suffix. The actual addresses for OCR’s offices are available on the OCR website.

If you receive one of these postcards, discard it and do not access the information on the card. In general, never click on a link or open an email attachment from an organization or address you don’t recognize.

Learn more about phishing and similar forms of email fraud here.

This is an example of a postcard scammers are sending in the mail.