Fake 42 CFR Part 2 substance-use-disorder (SUD) record consent-revocation lure — "Patient consent revocation — purge SUD records within 30 days" targets behavioral-health EHR admins. 42 CFR Part 2 Final Rule (effective Apr 16, 2024 / compliance Feb 16, 2026) harmonized SUD-record consent with HIPAA, lending the lure narrative immediate credibility. Drainer harvests behavioral-health admin credentials + SUD-record PHI exfil (irreversible HIPAA + 42-CFR-Part-2 + SUD-stigma exposure). Real 42-CFR-Part-2 / SAMHSA / SUD-record notifications come through samhsa.gov / hhs.gov / ocr.hhs.gov / EHR-vendor (Netsmart / Epic / Cerner) portals, never via inbound email link demanding 30-day purge of SUD records from an unfamiliar domain. PHI +0.05% budget; SUD-stigma scope flag; B2B-behavioral-health scope. Source: GC1 R9 multiagent council P1 (S2 healthcare specialist).

Fake 42 CFR Part 2 substance-use-disorder (SUD) record consent-revocation lure targeting behavioral-health EHR (Electronic Health Record) admins, opioid-treatment-program (OTP) compliance staff, and SAMHSA-registered methadone / buprenorphine providers. The phish narrative arrives as: "Patient consent revocation — purge SUD records within 30 days," or "42 CFR Part 2 patient consent revocation request — your facility must purge or destroy substance-use-disorder treatment records within 30 days under the 2024 Final Rule HIPAA-harmonization compliance deadline." 42 CFR Part 2 Final Rule (effective Apr 16, 2024 / compliance Feb 16, 2026) harmonized SUD-record consent with HIPAA — the compliance deadline of Feb 16, 2026 created a recent regulatory pivot point that compliance staff are still digesting, lending the lure narrative immediate credibility especially because the Final Rule did genuinely modify when records can be re-disclosed and when consent must be re-acquired. Lookalike portals harvest behavioral-health admin credentials (post-compromise the attacker can read every SUD treatment record in the EHR — irreversible HIPAA + 42-CFR-Part-2 + SUD-stigma exposure for every treated patient) plus SUD-record PHI exfil through the fake "consent revocation purge" upload form (the attacker collects the patient's SUD record material as it is being prepared for purge, retaining evidentiary copies for downstream extortion and identity fraud against an extremely vulnerable population). Real 42-CFR-Part-2 / SAMHSA / SUD-record notifications come through samhsa.gov / hhs.gov / ocr.hhs.gov / EHR-vendor (Netsmart / Epic / Cerner) portals using credentials provisioned via the EHR-vendor onboarding process, never via inbound email link demanding 30-day purge of SUD records from an unfamiliar domain. PHI +0.05% budget; SUD-stigma scope flag; B2B-behavioral-health scope. Fires when body references 42 CFR Part 2 / substance use disorder / SUD record-treatment / SAMHSA / consent revocation / harmoniz / methadone / MAT / opioid treatment program / OTP AND contains purge / delete / destroy / 30-days / verify / comply / action-required / submit / deadline urgency. Excludes samhsa.gov, hhs.gov, ocr.hhs.gov, netsmartcloud.com, epic.com, cerner.com, and the broader .gov umbrella. Auto-classified as danger via the `-spoof` suffix. Source: GC1 R9 multi-agent council P1 (S2 healthcare specialist).