OCR: Individual Posing as OCR Investigator
OCR issued an alert on April 3, 2020, regarding an individual posing as an OCR Investigator who has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI). The individual identifies themselves on the telephone as an OCR investigator, but does not provide an “OCR complaint transaction number” or any other verifiable information relating to an OCR investigation.
Covered entities and business associates should take these steps:
- Alert workforce members to take action to verify that someone is an OCR investigator by asking for:
- The OCR complaint transaction number
- The investigator’s email address, which will end in @hhs.gov, and
- A confirming email from the OCR investigator’s hhs.gov email address
- Additional questions or concerns can be addressed via email to OCRMail@hhs.gov
- Report suspected incidents of individuals posing as federal law enforcement to the FBI Internet Crime Complaint Center. You can also report phone scams to the Federal Communications Commission.
CDC: COVID-19 Related Phone Scams and Phishing Attacks
The CDC, in an updated notice on April 3, 2020, has become aware that members of the general public are receiving calls appearing to originate from CDC through caller ID, or they are receiving scammer voice mail messages saying the caller is from the Centers for Disease Control and Prevention (CDC). Some calls are requesting donations. The CDC refers to these fraudulent calls as “government impersonation fraud.”
CDC reiterates that federal agencies do not request donations from the general public. Below are some helpful dos and don’ts to protect yourself from phone scams and phishing attacks:
- Give out or supply your personal information, including banking information, social security number, passwords or other personally identifiable information over the phone, in any emails or to individuals you do not know
- Open unsolicited email from people you don’t know
- Click links in emails. If you think the link is to a valid website, hover your mouse over the link to obtain the URL and then type the web address in your browser window to access the website yourself without using the link.
- Be wary of third-party sources spreading information about COVID-19 and refer to the official CDC COVID-19 page
- Be wary of attachments in any email
- Hover your mouse over links to see where they lead
- Verify the web address of legitimate websites and manually type them into your browser
FBI and CISA: PSA on COVID-19 Fraud Scheme and Guidance on Defending Against “Zoom-Bombing”
On March 20, 2020, the FBI issued a public service announcement about COVID-19 fraud schemes. The PSA contains information on identifying fake CDC emails and websites, phishing emails, and counterfeit treatments and equipment.
On March 30, 2020, the FBI warns of video-teleconferencing (VTC) hijacking (also called “Zoom-bombing”), where unidentified or uninvited third parties use a teleconference number to disrupt or listen in on the conference meeting. “Zoom-bombing” is named after the popular VTC platform Zoom, but can affect any VTC platform such as Microsoft Teams, GoToMeetings, Lifesize, Join.me, BlueJeans and others. Subsequently on April 2, 2020, CISA, the Cybersecurity and Infrastructure Security Agency, released additional guidance to warn of Zoom-bombing and encouraged all users and administrators to review the March 30, 2020 FBI article.
Below are recommendations compiled from the FBI and CISA to help mitigate teleconference risks and threats:
- Consider security requirements when selecting vendors, such as enabling or asking for end-to-end encryption
- Ensure VTC software is up-to-date
- Do not make meetings or classrooms public
- In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post
- Provide the link directly to specific people
- Manage screensharing options
- In Zoom, change screensharing to “Host Only”
- Ensure users are using the updated version of remote access/meeting applications.
- In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
If you were a victim of a teleconference hijacking or any cyber-crime, report it to the FBI's Internet Crime Complaint Center. If you receive a specific threat during a teleconference, please report it at tips.fbi.gov or call the FBI Boston Division at 857.386.2000.
TMHCC CyberNET® Webinar and Resources
In partnership with our cyber risk experts, Tokio Marine HCC – Cyber & Professional Lines Group (TMHCC), LAMMICO offers our insureds complimentary access to CyberNET®, the most advanced cyber risk management solutions inclusive of sample policies, incident response plans and other compliance and training materials.
Insureds are encouraged to log in as a Member at lammico.com to access CyberNET® through LAMMICO Practice Solutions and access a free, on-demand webinar titled "Avoiding Cybersecurity Threats This Year" in the “Cyber Training” section of CyberNET®.
Finally, the cyber risk experts at TMHCC offer these additional recommendations:
Detecting the COVID-19 scam. COVID-19 scams can be by email, phone call or text. Treat all coronavirus-related emails or text messages with an attachment or link as highly suspicious. The sender’s name should match the email address. These scams can contain branding from legitimate organizations and typically use a sense of urgency and fear to illicit a response. Subject matter include potential government checks, vaccines, cures, prepaid tests, local infection maps, etc.
If you’re working from home, follow your organization’s policy. Update all software on your computers and devices. Use extra-long passwords and two-factor authentication for remote access and for your devices when possible. Don’t use public WiFi to transact sensitive business unless through a Virtual Private Network or other secure means. Securely dispose of sensitive information and never leave your devices unattended.
- Department of Homeland Security, Cybersecurity and Infrastructure Agency (DHS / CISA)
- Federal Trade Commission (FTC)
- Department of Justice (DOJ)
- Federal Bureau of Investigations
- Video-telephone Conferencing