Beware of Fraudsters Posing as Government Investigators to Obtain Protected Health Information
Privacy, Cyber & AI Decoded Alert | 2 min read
Apr 8, 2020
Risk Management Question
What precautions can law firms, along with their lawyers and staff, take when they receive an unexpected request for protected health information (PHI) from someone claiming to be a representative of the Office of Civil Rights (OCR) or the Centers for Disease Control and Prevention (CDC)?
The Issue
The U.S. Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) have warned about scammers posing as representatives from the OCR or CDC. The phony OCR Investigator may contact HIPAA-covered entities or their business associates to access PHI. The fake CDC representative may claim to have special information about COVID-19. These fraudsters prey on community fears and use threats of enforcement and fines to convince the unsuspecting individual to immediately provide the PHI of others.
Risk Management Solutions
Law firms and clients who maintain PHI should alert their employees about these scams and advise them to take the following actions:
- Always ask for the caller's name, title, phone number, and email address.
- Ask for an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.
- According to HHS, an OCR investigator's email address will end in @hhs.gov. If the caller provides a different domain name, it's a scam.
- Ask the caller to provide a confirmation email from a legitimate government email address.
- Verify the caller's identity and role by calling the main number listed on the website of the governmental entity they are purportedly from.
- Train employees to report suspected scams to a specific department within your firm and refrain from further communication with the caller until a supervisor has confirmed the request is legitimate.
Additional tips from the FBI:
- Do not open attachments or click links within emails from senders you don't recognize.
- Do not provide usernames, passwords, dates of birth, social security numbers, financial data, or other personal information—whether it be yours or someone else's—in response to an email or robocall.
- Always verify the web address of legitimate websites and manually type them into your browser.
- Check for misspellings or wrong domains within a link (e.g. an address that should end in ".gov" ends in ".com" instead).
- Suspected incidents of individuals posing as federal law enforcement should be reported to the FBI.
Always think before you click or answer the phone. Remember, let's be careful out there.
Related People
Related Capabilities
Featured Insights

Healthcare Alert
Jul 8, 2026
A New Era of Compliance Standards for California DSOs and MSOs After the Aspen Dental Settlement

Insights for Insurers Alert
Jul 7, 2026
What Insurers Need to Know About California’s FAIR Plan Assessment Recoupment Guidance

In The News
Jul 6, 2026
Francesco Palanda’s Practical Guide for Mitigating AI-Related Business Interruption Risk

Lawyers' Lawyer Newsletter
Jun 29, 2026
Beyond Malpractice: The Rising Threat of Privacy and Statutory Claims Against Lawyers

In The News
Jun 26, 2026
Brian McGrath Discusses Far-Reaching Impact of a NY Foreclosure Ruling on Mortgage Industry

In The News
Jun 26, 2026
Jason Oliveri Discusses AI Companions in Elder Care and the Risks for LGBTQ+ Residents

Event
June 25-26, 2026
Todd Young Speaks on Importance of Financial Literacy to ESOP Culture

Press Release
Jun 25, 2026
Scott Seaman Appointed to DRI Center for Law and Public Policy’s Social Inflation Task Force




