Fake telehealth / patient-portal impersonation — email impersonates MyChart, FollowMyHealth, athenaPatient, NextGen, Cerner HealtheLife, Epic Open Scheduling, Teladoc, MDLive, Amwell, or Doxy.me with a health-action hook (new secure message, test results available, refill decision, after-visit summary) + portal-login CTA pointing at an off-allowlist URL. HIPAA Journal Feb 2026: 9.65M PHI records exposed Jan-Feb 2026; Scamicide Apr 2025 personalized MyChart phish; HHS OCR Dec 2024 PIH Health $600K phishing-breach settlement; KnowBe4 2025 flagged healthcare as a priority phishing vertical

Email impersonates a patient portal or telehealth brand — MyChart (Epic), FollowMyHealth, athenaPatient, NextGen, Cerner HealtheLife, Epic Open Scheduling, Teladoc, MDLive, Amwell, or Doxy.me — with a health-action hook ("you have a new secure message," "your test results are available," "prescription refill decision ready," "after-visit summary") and a portal-login CTA pointing at an off-allowlist URL. The target enters credentials on a lookalike login page; because the healthcare context creates emotional urgency (lab results, a message from your doctor, a prescription decision) users click faster than they would for other brands. HIPAA Journal reported 9.65M PHI records exposed Jan-Feb 2026 alone — health phishing has hit sustained epidemic volume. Scamicide documented personalized MyChart phish with the target's first name in April 2025; HHS OCR settled PIH Health for $600K in December 2024 over a phishing-enabled breach; KnowBe4 2025 flagged healthcare as a priority phishing vertical because of the high PHI-record resale value on dark markets. Distinct from generic medical-bill / insurance-claim phish because this specifically targets the patient-portal login flow. Warning signs: any patient-portal-branded email that couples a secure-message / test-results / refill hook with a "log in to view" link to a domain that is not your real provider's portal subdomain.