So this arrived from an email address similar to, yet not quite the same as, the URL of a physician’s office where I had an appointment a few days hence:
My email client is set to prefer plain text, disallow remote content, and not open attachments, so that’s as far as it got. Donning asbestos work gloves and face mask, I pried open the message and its attached HTML file with the appropriate tools and found, as expected, scripts doing who-know-what.
Called the office and, also as expected, was told my appointment time had been changed.
Showed up, mentioned it to the doctor, and was told the office must check off many boxes to demonstrate its HIPAA compliance.
Bottom line: HIPAA now requires patients (a.k.a., us) to open random attachments from random senders, all in the name of privacy.
Banks do that, too.