Fake CMS EMTALA (Emergency Medical Treatment & Active Labor Act) 409-letter ED on-call roster + transfer-log investigation lure — "CMS Region IV EMTALA complaint — submit ED on-call roster + transfer logs in 409-letter response window or civil money penalty (CMP) accruing" → spoofs CMS regional office, harvests ED scheduler / CMO creds + protected medical screening / stabilization / transfer records (PHI exfil). EMTALA enforcement uptick post-Dobbs + 2025 CMS revised SOM Appendix V give attackers a real and credible regulatory pretext. Real EMTALA investigations come through formal CMS regional-office / state-survey-agency postal correspondence + qsep.cms.gov portal, never via inbound email link demanding ED on-call roster + transfer-log submission to an unfamiliar domain. PHI +0.05% budget; B2B-hospital scope. Source: GC1 R9 multiagent council top-5 P0 (S2 healthcare specialist).

Fake CMS EMTALA (Emergency Medical Treatment & Active Labor Act) 409-letter ED on-call roster + transfer-log investigation lure targeting hospital ED schedulers, CMOs, compliance officers, and medical-staff offices. The phish narrative arrives as: "Per CMS Region IV, an EMTALA complaint has been filed against your hospital — submit ED on-call roster, transfer logs, and medical screening records within the 409-letter response window or civil money penalty (CMP) accruing," or "A CMS EMTALA investigation under Appendix V has been opened concerning ED dump and stabilization deficiencies — submit on-call coverage records and transfer-log medical screening evidence to the investigation portal." EMTALA enforcement uptick post-Dobbs (heightened CMS scrutiny on emergency-department obstetric and abortion-stabilization care) plus the 2025 CMS revised SOM (State Operations Manual) Appendix V (the EMTALA-investigation interpretive guidelines) plus the new wave of CMS Region IV / Region IX investigations give attackers a real and credible regulatory pretext. The 409-letter is a specific CMS investigative tool that demands documentation in a defined window, lending the deadline-pressure framing immediate credibility for a hospital compliance officer. Lookalike investigation portals harvest ED scheduler / CMO credentials (post-compromise: full takeover of the on-call roster scheduling system + downstream extortion / patient-record exfil) and PHI from submitted transfer logs / medical screening records (irreversible HIPAA exposure for the hospital and downstream patients). Real CMS EMTALA investigations come through formal CMS regional-office / state-survey-agency postal correspondence sent to the hospital's designated CMS compliance officer + access via qsep.cms.gov portal with credentials issued through the CMS-survey-agency onboarding process, never via inbound email link demanding ED on-call roster + transfer-log submission to an unfamiliar domain. PHI +0.05% budget; B2B-hospital scope. Fires when body references EMTALA / 409-letter / CMS Region / Appendix V / on-call roster-coverage / medical screening / stabilization / transfer log-form / ED dump AND contains investigat / complaint / submit / deadline / CMP / civil money penalty / comply / action-required urgency. Excludes cms.hhs.gov, hhs.gov, oig.hhs.gov, qsep.cms.gov, cms.gov, and the broader .gov umbrella. Auto-classified as danger via the `-lure` suffix. Source: GC1 R9 multi-agent council top-5 P0 (S2 healthcare specialist).