IRS Fishing Scam – Reminder to Employers Sponsoring Group Health Plans

The IRS has recently issued a warning about a large, sophisticated email phishing scam that is targeting human resources and payroll departments. The email is designed to appear as though it comes from an executive within the organization and requests the names and other confidential information – including the W-2s – the organization’s employees. The IRS alert can be found here:

While information contained in an employer’s payroll records is generally excepted from the definition of protected health information (PHI) under HIPAA, this is still a crucial issues for employers that sponsor group health plans to be aware of. First and foremost, even if the information being requested isn’t PHI, it is likely subject to other privacy or confidentiality requirements under state or federal law. Secondly, to the extent that any of the information requested comes from the employer’s health plan’s records, it would be considered PHI and subject to HIPAA. Phishing and other social engineering scams are becoming more prevalent and more sophisticated, and can result in large-scale breaches.

The Security Rule requires that covered entities implement security measures to protect against malware (which may originate via a social engineering scam), including providing training on the issue to workforce members. A robust training program will include training on how to identify malware and social engineering attempts, and what the procedures are for reporting any suspected or known security incidents for resolution. Employers sponsoring group health plans should review their risk analyses and security incident procedures to ensure that their health plans are equipped to prevent a security incident – or worse, a breach – from occurring.

Last summer, HHS released information and guidance on preventing ransomware attacks. Employers may also find this guidance helpful with respect to prevent malware attacks in general. The guidance may be found here: