Fake MyChart / patient portal breach lure — "your MyChart account was accessed during a recent security incident, verify identity within 24 hours or access will be suspended" targeting US patients; SSN + insurance ID + DOB + medical-history harvest for medical-identity theft (post-2024 Change Healthcare / Ascension / Kaiser breach era)

Fake "your MyChart / patient portal account was accessed during a recent security incident — verify your identity within 24 hours or access will be suspended" email targeting US patients. Harvests SSN + insurance ID + DOB + phone + address + medical history for medical-identity theft downstream (fraudulent prescription runs, Medicare-Advantage plan enrollment fraud, stolen benefits). The 2024 Change Healthcare breach (100M+ records), Ascension ransomware incident, and Kaiser Permanente tracker leak primed patients to expect real "your records may have been affected" notifications, which is why this phish converts. Medical records are the highest-price single identity-theft class on dark markets ($250-1000 each vs. $5-50 for a credit card), so attacker ROI justifies the custom-lure investment. Fires when the body references MyChart / patient portal / Epic / health portal / patient records access AND contains breach / verify-identity / re-authenticate / suspend urgency. Excludes mychart.com, epic.com, kp.org, clevelandclinic.org, hopkinsmedicine.org, mayoclinic.org, partners.org, nyulangone.org, mountsinai.org, cedars-sinai.org, uchicagomedicine.org, mgh.harvard.edu, upmc.com, uclahealth.org, nhs.uk, patient.co.uk, plus .gov / .edu umbrellas. Auto-classified as danger via the `-lure` suffix.