New Scam Targeting Medical Entities that Your SPAM Filter will NOT Stop!

It’s always nice to get a postcard from friends or family who are away on vacation. But this week we learned of a new kind of postcard being sent out with not-so-well wishes.

The Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) sent out a warning that fraudulent postcards are being sent out, addressed to HIPAA Privacy and Security Officers with false information and instructions.

These postcards are being sent to healthcare organizations and are disguised as an “official government communication” with instructions to visit a website, call, or respond via email to take immediate action regarding HIPAA requirements. The fake postcard contains a return address located in Washington D.C. of the non-existent Secretary of Compliance’s office.

Details, including an image of the postcard, can be found here on the (legitimate) website of the National Law Review.

Proceed with Caution

We are inundated with information. And with so much coming at us, it is very easy to glance quickly, assume it is safe, and make mistakes unknowingly. Unfortunately, you just can’t do that. There is no other way to say it, and to emphasize it any less would be doing an injustice to your business. Cybercriminals will go to ANY lengths to get your data. They have printed up fake government postcards, taken the time to mail them, and now wait for even ONE person to take the bait. That is how valuable this information is. Do not take it lightly and do not think that “it can’t happen to you”.

person researching on laptop

Here are a few quick steps that you should take each time BEFORE you click or call:

Review the website. A quick internet search can take you to the business or government site that you are trying to access – DIRECTLY rather than via an unsafe link, but make sure you are visiting the legitimate website. Scammers can duplicate websites and create URLs that are very close to the legitimate site, so always do a double-check.

Do you know the person who sent you the communication? Is it their actual email address? In this case, the email would have the @hhs.gov suffix. Is their phone number and/or physical address legitimate? If you aren’t sure, do your research. Identify the legitimate contact details and call the office directly to verify that this is was a valid communication – don’t use the number provided!

If the sender is asking for access or action to be taken that provides a gateway to more information, do a double, even triple check of what you are sending and to whom you are sending it to.

Consider yourself to be the gatekeeper of a treasure. How would you guard that information in the safest way possible? If you still aren’t sure, ask someone to double-check what you have found and do a simple search online to see if anyone else is questioning this potential scam. One simple mistake could be business-ending.


We are a proud partner of HIPAA Secure Now!, a company of HIPAA experts dedicated to helping medical entities stay compliant and keeping their data safe. 

Thank you HIPAA Secure Now! (www.HIPAAsecurenow.com) for the contents of this article.


Want more cybersecurity tips to help keep your business safe & secure? Sign up for our email newsletter and have new articles & tips delivered straight to your inbox monthly.

Posted in
Tracy Hardin

Tracy Hardin

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor's degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.

Reader Interactions