In March 2022, MCG Health — a Hearst Health subsidiary providing evidence-based patient care guidelines and clinical decision support software to health plans and hospitals — suffered a data breach affecting approximately 1.1 million patients. MCG Health provides care guidelines used by payers and providers to determine clinical appropriateness for procedures, surgeries, and hospital admissions. The exposure of care guideline data represents a particularly sensitive category — including denial/approval of procedures — that could affect insurance disputes. MCG disclosed the breach to HHS OCR in June 2022. Exposed data included patient Social Security numbers, medical codes, medical record numbers, health plan member IDs, patient addresses, phone numbers, and names. Multiple health plans and healthcare organisations subsequently notified their patients whose data was held by MCG. The breach was notable for affecting data about clinical decision-making — a unique and sensitive category of health data beyond standard PHI. Multiple class-action lawsuits were filed against MCG Health and its health plan clients for inadequate protection of clinical data.