Fake UnitedHealthcare / Aetna / Cigna / Anthem / Blue Cross Blue Shield / Humana / Kaiser Permanente / Oscar / Elevance / Molina / Centene health-insurance prior-auth DENIAL lure — "prior authorization denied / claim denial / coverage will be suspended, verify within 24 hours or appeal before deadline" targeting 200M+ US commercial insurance enrollees + 75M Medicaid + 64M Medicare; post-UnitedHealth 2024 auto-denial-algorithm controversy (NYT/ProPublica) primed victims to read denial lures as plausible; harvests member-ID + SSN + DOB + credit card ("$299 expedited review fee") + provider info; medical-ID bundles sell $500-1,500 on dark markets (highest per-record identity-fraud price, enables BOTH fraudulent medical billing AND regular ID theft); distinct from enrollment PII-harvest signal (covers ACA/Medicare enrollment scams, opposite attack shape)

Fake "your UnitedHealthcare / Aetna / Cigna / Anthem / Blue Cross Blue Shield / Humana / Kaiser Permanente / Oscar Health / Elevance Health / Molina / Centene prior authorization has been denied — verify your claim information within 24 hours or your coverage will be suspended / appeal before deadline" email targeting the 200M+ US commercial health-insurance enrollees plus 75M Medicaid and 64M Medicare enrollees. Why this lure converts heavily in 2024-2026: UnitedHealth's 2024 auto-denial-algorithm controversy (NYT and ProPublica investigations, Brian Thompson incident) created a MASSIVELY primed mental model — victims read the phish and think "yep, sounds about right" before checking the sender. Real prior-auth denial letters DO use near-identical language and DO cite 24-48-hour appeal windows, so the template shape is deeply familiar. Attack harvests member-ID, SSN (used on appeal forms), date-of-birth, credit card (for fake "$299 expedited review fee" — a common scam add-on), and provider info (enables downstream medical-identity theft). Medical-identity bundles sell on dark markets at $500-$1,500 per complete bundle — higher than financial PII because they enable both fraudulent medical billing AND regular identity theft. Distinct from `fake-health-insurance-plan-pii-harvest-scam` (covers ENROLLMENT scams about ACA/Obamacare/Medicare Advantage "$0 premium" — opposite attack shape: enrolling vs already-insured), `fake-mychart-patient-portal-breach-lure` (provider-side patient portal, not payer-side carrier), and `fake-government-benefits-reapplication-lure` (benefits-loss framing via reapplication, not claim denial). Fires when body references UnitedHealthcare / UHC / Aetna / Cigna / Anthem / Blue Cross / BCBS / Humana / Kaiser Permanente / Oscar Health / Elevance / Molina / Centene / Wellpoint / Medicare Advantage / Medicare Part A/B/C/D / Medicaid / health insurance / medical insurance / prior authorization / pre-auth / coverage review / claim denial / benefit denial / medical claim AND contains denied / denial / appeal-within / coverage-suspended / verify-claim / 24-hour urgency. Excludes unitedhealthcare.com, uhc.com, unitedhealth.com, unitedhealthgroup.com, aetna.com, aetnabetterhealth.com, cigna.com, myevernorth.com, anthem.com, bcbs.com, bcbsil.com, bcbstx.com, bcbsm.com, horizonbcbsnj.com, bluecrossblueshield.com, bluecross.com, bluecrossma.com, humana.com, kp.org, kaiserpermanente.org, hioscar.com, oscar.com, elevancehealth.com, molina.com, molinahealthcare.com, centene.com, medline.com, healthcare.gov, cms.gov, medicare.gov. Auto-classified as danger via the `-lure` suffix.