The Office of Civil Rights (OCR) has been made aware of postcards being sent to healthcare organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment,” and they are being directed to send their risk assessment to the following URL below (DO NOT click on the link below or copy and paste it into a browser as it is a scam):

This is a suspicious link that directs individuals to a non-governmental website marketing consulting service.

Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services. This communication is from a private entity – it is NOT an HHS/OCR communication. Employers should alert their workforce members to this misleading communication.

Employers can verify that a communication is from OCR by looking for the OCR address or email address, which will end in on any communication that purports to be from OCR and ask for a confirming email from the OCR investigator’s email address. The addresses for OCR’s HQ and Regional Offices are available on the OCR website at and all OCR email addresses will end in If organizations have additional questions or concerns, please send an email to:

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.