BrightSpring Health Services, Inc. (BTSG) Risk Analysis

Numerous federal, state, and foreign laws, rules, and regulations, as well as contractual obligations, govern the Processing of confidential, sensitive, and personal information, including certain patient health information, such as patient records. Existing laws and regulations are constantly evolving, and new laws and regulations that apply to our business are being introduced at every level of government in the United States. In many cases, these laws and regulations apply not only to third-party transactions, but also to transfers of information between or among us, our affiliates, and other parties with whom we conduct business. These laws and regulations may be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible that they will be interpreted and applied in ways that may have a material adverse effect on our business. The regulatory framework for data privacy and security worldwide is continuously evolving and developing and, as a result, interpretation and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. For example, HIPAA establishes a set of national privacy and security standards in the United States for the protection of PHI by health plans, healthcare clearinghouses, and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services that involve the use or disclosure of PHI, including certain subcontractors of such business associates. HIPAA requires healthcare providers like us to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical, and technical safeguards to protect such information. In particular, HIPAA requires us to develop and maintain policies and procedures governing PHI that is used or disclosed, and to implement administrative, physical, and technical safeguards to protect PHI, including PHI maintained, used, and disclosed in electronic form. These safeguards include employee training, identifying business associates with whom covered entities need to enter into HIPAA-compliant contractual arrangements, called business associate agreements, and various other measures. Ongoing implementation and oversight of these measures involves significant time, effort, and expense and we may have to dedicate additional time and resources to ensure compliance with HIPAA requirements. HIPAA further requires covered entities to notify affected individuals "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach" if their unsecured PHI is subject to an unauthorized access, use or disclosure, though many states require shorter breach notification timeframes. If a breach affects 500 patients or more, covered entities must report it to HHS and local media without unreasonable delay (and in no case later than 60 days after discovery of the breach), and HHS will post the name of the entity on its public website. If a breach affects fewer than 500 individuals, the covered entity must log it and notify HHS at least annually. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. Penalties for failure to comply with a requirement of HIPAA vary significantly depending on the failure and could include requiring corrective actions, resolution agreements, and/or imposing civil monetary or criminal penalties. HIPAA also authorizes HHS to conduct audits of HIPAA compliance and state attorneys general to file suit under HIPAA on behalf of state residents. Courts can award damages, costs, and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for HIPAA violations, its standards have been used as the basis for a duty of care claim in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Litigation with those affected could increase our liabilities, harm our reputation, and have a material adverse effect on our business, financial condition, and results of operations. Numerous other federal and state laws protect the confidentiality, privacy, availability, integrity, and security of PHI. For example, failing to take appropriate steps to keep consumers' personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, or the FTCA. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. The FTC's current guidance for appropriately securing consumers' personal information is similar to what is required by the HIPAA security regulations, but this guidance may change in the future, resulting in increased complexity and the need to expend additional resources to ensure we are complying with the FTCA. For information that is not subject to HIPAA and deemed to be "personal health records," the FTC may also impose penalties for violations of the Health Breach Notification Rule, or HBNR, to the extent we are considered a "personal health record-related entity" or "third party service provider." The FTC has taken several enforcement actions under HBNR this year and indicated that the FTC will continue to protect consumer privacy through greater use of the agency's enforcement authorities. As a result, our operations may be subject to greater scrutiny by federal and state regulators, partners, and consumers with respect to our collection, use, and disclosure of health information. Additionally, federal and state consumer protection laws are increasingly being applied by FTC and states' attorneys general to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. Further, various states, such as California and Massachusetts, have implemented privacy laws and regulations, such as the California Confidentiality of Medical Information Act, that impose restrictive requirements regulating the use and disclosure of personally identifiable information, including PHI. In many cases, these laws are more restrictive than, and may not be preempted by, HIPAA and may be subject to varying interpretations by courts and government agencies, creating complex compliance issues and potentially exposing us to additional expense, adverse publicity, and liability. We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in various jurisdictions. For example, Washington State enacted a broadly applicable law to protect the privacy of personal health information known as the "My Health My Data Act," which generally requires affirmative consent for the collection, use, or sharing of any "consumer health data." Consumer health data is defined to include personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health status; consumer health data also includes information that is derived or extrapolated from non-health information, such as algorithms and machine learning. Other states, including Connecticut and Nevada, have also passed consumer health data laws, and given the increased focus on the use of health data by entities that are not subject to HIPAA, additional states are expected to pass consumer health privacy laws. The CCPA originally went into effect on January 1, 2020, and established a new privacy framework for covered businesses such as ours. In November 2020, California voters passed the CPRA, which went into effect on January 1, 2023, and which further expanded the CCPA with additional data privacy compliance requirements that may impact our business, and established a regulatory agency dedicated to enforcing the CCPA. It remains unclear how various provisions of the CCPA (as amended by CPRA and its implementing regulations) will be interpreted and enforced. In addition, on March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act, or VCDPA, a comprehensive privacy statute that shares similarities with the CCPA and legislation proposed or enacted in other states. Additional states, including Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, and Utah have since passed or are considering passing comprehensive state privacy laws. In addition, laws such as the Illinois Biometric Information Privacy Act, which regulates the Processing of biometric information, provide for a private right of action and substantial penalties and statutory damages for violations that have generated significant class-action litigation and settlements. Such laws and regulations require us to continuously review our data Processing practices and policies, may cause us to incur substantial costs with respect to compliance, and could require us to adapt our products and solutions, which may reduce their utility to our customers. Similar laws have been proposed in other states and at the federal level and if passed, such laws may have potentially conflicting requirements that would make compliance challenging. Such changes may also require us to modify our products and features, and may limit our ability to make use of the data that we collect, may require additional investment of resources in compliance programs, impact strategies, and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. New legislation proposed or enacted in various other states will continue to shape the data privacy environment nationally. Additionally, all 50 U.S. states and the District of Columbia have enacted breach notification laws that may require us to notify patients, employees, or regulators in the event of unauthorized access to or disclosure of personal or confidential information experienced by us or our service providers. These laws are not consistent, and compliance in the event of a widespread data breach is difficult and may be costly. Moreover, states have been frequently amending existing laws, requiring attention to changing regulatory requirements. We also may be contractually required to notify patients or other counterparties of a security breach. Although we may have contractual protections with our service providers, any actual or perceived security breach could harm our reputation and brand, expose us to potential liability, or require us to expend significant resources on data security and in responding to any such actual or perceived breach. Any contractual protections we may have from our service providers may not be sufficient to adequately protect us from any such liabilities and losses, and we may be unable to enforce any such contractual protections. In addition to government regulation, privacy advocates and industry groups have and may in the future propose self-regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards. Further, in Canada, the Personal Information Protection and Electronic Documents Act, or PIPEDA, and similar provincial laws may impose obligations with respect to processing personal information. PIPEDA requires companies to obtain an individual's consent when collecting, using, or disclosing that individual's personal information. Individuals have the right to access and challenge the accuracy of their personal information held by an organization, and personal information may only be used for the purposes for which it was collected. If an organization intends to use personal information for another purpose, it must again obtain that individual's consent. Additionally, we make public statements about our use and disclosure of personal information through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Moreover, from time to time, concerns may be expressed about whether our services compromise the privacy of patients and others. Any concerns about our data privacy and security practices, even if unfounded, could damage the reputation of our businesses, discourage potential patients from our services and have a material adverse effect on our business. Complying with these various laws, rules, regulations, and standards, and with any new laws or regulations changes to existing laws, could cause us to incur substantial costs that are likely to increase over time, require us to change our business practices in a manner adverse to our business, divert resources from other initiatives and projects, and restrict the way products and services involving data are offered, all of which may have a material adverse effect on our business. For example, we have incurred and expect to continue to incur additional costs to comply with the CCPA and other similar U.S. state laws and regulations. However, in the future we may be unable to make such changes and modifications to our business practices in a commercially reasonable manner, or at all. Given the rapid development of data privacy laws and regulations, we expect to encounter inconsistent interpretation and enforcement of these laws and regulations, as well as frequent changes to these laws and regulations which may expose us to significant penalties or liability for non-compliance, the possibility of fines, lawsuits (including class action privacy litigation), regulatory investigations, criminal or civil sanctions, audits, adverse media coverage, public censure, other claims, significant costs for remediation and damage to our reputation, or otherwise have a material adverse effect on our business and operations. Any inability to adequately address data privacy or security-related concerns, even if unfounded, or to comply with applicable laws, regulations, standards, and other obligations relating to data privacy and security, could result in additional cost and liability to us, damage our relationships with patients, harm our reputation, and have a material adverse effect on our business.

The U.S. healthcare industry in which we operate is highly competitive. We compete with a broad and diverse set of services spanning both pharmacy and provider services. In our Pharmacy Solutions segment, the competition for the distribution of pharmaceuticals to patients and also to healthcare facilities is intense. In our Provider Services segment, we compete with local, regional, and national providers of home health, hospice, rehab therapy, personal, and behavioral health services in each of the geographical areas in which we operate. In each geographic market, there are national, regional, and local facility-based pharmacies that provide services comparable to those offered by our pharmacies. In addition, owners of skilled nursing facilities are also entering the facility-based pharmacy market, particularly in areas of their geographic concentration. We also compete in the large and highly fragmented hospice, infusion, and specialty pharmacy markets. Failure to compete effectively could have a material adverse effect on our market share, business, financial condition, and results of operations. We compete based on the availability of personnel, the quality of services, expertise of clinicians, caregivers, pharmacists, and pharmacy professionals, and in certain instances, on the price of our services. Some of our competitors may have greater financial, technical, and marketing resources, name recognition, or a larger number of patients and payors than we do. Often our contracts with payors are not exclusive, and local competitors may develop strategic relationships with referral sources and payors, limiting our ability to retain referrals and payors in local markets. Some of our competitors may negotiate exclusivity provisions with managed care plans or otherwise interfere with the ability of managed care companies to contract with us. We may experience increased competition for managed care contracts due to state regulation and limitations. These competitive advantages could result in pricing pressures, loss of, or failure to gain market share, or loss of patients or payors, any of which could harm our business. In addition, our competitors may offer more services than we do in the markets in which we operate, introduce new or enhanced services that we do not provide, or be viewed by consumers as a more desirable local alternative. This, in combination with industry consolidation and the development of strategic relationships by our competitors (including mergers of competitors with each other and with insurers), could cause a decline in revenue, loss of market acceptance of our services or a negative impact on our results of operations. In addition, some of our competitors have vertically integrated business models with commercial payors, or are under common control with, or owned by, pharmaceutical wholesalers and distributors, Managed Care Organizations, or MCOs, PBMs, or retail pharmacy chains and may be better positioned with respect to the cost-effective distribution of pharmaceuticals. In addition, some of our competitors may have secured long-term supply or distribution arrangements for prescription pharmaceuticals necessary to treat certain chronic disease states on price terms substantially more favorable than the terms currently available to us. Consequently, we may be less price competitive than some of these competitors with respect to certain pharmaceutical products. In our Provider Services segment, there are few barriers to entry in states that do not require a certificate of need, or CON, or permit of approval, or POA. Although state CON and POA laws may limit the ability of competitors to enter into certain markets, these laws are not uniform throughout the United States and are frequently the subject of efforts to limit or repeal such laws. If states remove existing CON or POA requirements, we could face increased competition in these states. There can be no assurances that other states will not seek to eliminate or limit their existing CON or POA programs, which could lead to increased competition in these states. In our Pharmacy Solutions segment, we must maintain good working relationships with pharmaceutical manufacturers, wholesalers, and distributors. Any loss of a supplier relationship or other changes to these relationships could have an adverse effect on our business, financial condition, and results of operations. Additionally, access to limited distribution pharmaceuticals provides us with significant competitive advantages in developing relationships with payors and healthcare providers, and our failure to continue obtaining access to new limited distribution pharmaceuticals or the loss of our current access could have a material and adverse impact on our business. We also provide a significant amount of services to pharmaceutical manufacturers in exchange for a service fee related to patient access to specialty pharmaceuticals, and our failure to provide services at optimal levels could result in losing access to existing and future products. If pharmaceutical manufacturers require significant additional services and products to obtain access to their products without a corresponding increase in service fees, our profitability could be adversely impacted.

Our success depends on our ability to maintain our corporate reputation, including our reputation for providing quality patient care and for compliance with applicable Medicare, Medicaid, or HIPAA requirements or other laws to which we are subject, among governmental authorities, physicians, hospitals, discharge planning departments, case managers, nursing homes, rehabilitation centers, advocacy groups, patients and their families, other referral sources, and the public. For example, while we believe that the services we provide are of high quality, if our "quality measures," which are published annually online by CMS, are deemed to be not of the highest value, our reputation could be negatively affected. Adverse publicity surrounding any aspect of our business, including our failure to provide proper care, staffing, or training, incidents at our facilities, employee misconduct, conditions at our facilities, litigation, licensure actions, changes in public perception of our services or government investigations of our operations could negatively affect our overall reputation, the willingness of other providers and organizations to refer patients to us, of patients to use our services, and our ability to retain agreements or obtain new agreements. Increased government scrutiny may also contribute to an increase in compliance costs. Any of these events could have a negative effect on our business, financial condition, and operating results. There has been a marked increase in the use of social media platforms and similar channels that provide individuals with access to a broad audience of consumers and other interested persons. The availability of information on social media platforms is virtually immediate, as is its effect. Many social media platforms immediately publish the content their subscribers and participants post, often without filters or checks on accuracy of the content posted. The opportunity for dissemination of information, including inaccurate information, is potentially limitless. Information about our business and/or services may be posted on such platforms at any time. Negative views regarding our services may continue to be posted in the future, and are out of our control. Regardless of their accuracy or authenticity, such information and views may be adverse to our interests and may harm our reputation and brand. The harm may be immediate without affording an opportunity for redress or correction. Such negative publicity also could adversely affect the size, engagement, activity, and loyalty of our customer base or the effectiveness of word-of-mouth marketing, and result in decreased revenue, or require us to expend additional funds for marketing efforts. Ultimately, the risks associated with any such negative publicity cannot be eliminated or completely mitigated and may materially adversely affect our business, financial condition, and results of operations.

We have contractual relationships with pharmaceutical manufacturers, wholesalers, and distributors to purchase the pharmaceuticals that we dispense. In order to have access to these pharmaceuticals, and to be able to participate in the launch of new pharmaceuticals, we must maintain a good working relationship with these suppliers. Most of the manufacturers we contract directly with have the right to cancel their supply contracts with us without cause and after giving only minimal notice. In addition, these agreements may allow the manufacturers to distribute through channels other than us. Certain of these agreements also allow pricing and other terms to be adjusted periodically for changing market conditions or required service levels. We may be unable to renew contracts with our suppliers on favorable terms or at all. Any changes to these relationships, including, but not limited to, the loss of a supplier relationship or changes in pricing, could have an adverse effect on our business and financial results. Many products dispensed by our pharmacies are manufactured with ingredients that are susceptible to supply shortages. Our suppliers are independent entities subject to their own operational and financial risks that are outside our control. If our current suppliers were to stop selling drugs to us or delay delivery, including as a result of supply shortages, production disruptions, quality issues, closing, or bankruptcies of our suppliers, or for other reasons, we may be unable to procure alternatives from other suppliers in a timely and efficient manner and on acceptable terms, or at all. Should a supply disruption result in the inability to obtain pharmaceutical solutions necessary for patient care, our business, financial condition, and results of operations could be negatively impacted. Some pharmaceutical manufacturers, wholesalers, and/or distributors attempt to limit the number of preferred pharmacies that may market certain of their products. We cannot provide assurance that we will be selected and retained as a preferred pharmacy or can remain a preferred pharmacy to market these products. We cannot provide assurance that we will be able to compete effectively with other providers to dispense each of our core products. Consolidation within the drug manufacturing industry and other external factors may enhance the ability of suppliers to sustain or increase pricing of drugs and diminish our ability to negotiate reduced drug acquisition costs. Any inability to offset increased brand name or generic drug acquisition costs or to modify our activities to lessen the financial impact of such increased costs could have a significant adverse effect on our operating results. We receive certain discounts, rebates, and other price concessions from suppliers. For example, we have agreements with certain affiliates of Walgreen Stockholder pursuant to which we purchase both generic and non-generic pharmaceutical products and services at favorable prices and other payment terms. If one or both of such agreements were to terminate or if we were to otherwise lose our right to participate in such agreements, we may not be able to replace such arrangements to purchase pharmaceutical products and services at similarly favorable prices or at all. There can be no assurance that any changes in legislation or regulations, or the interpretation or application of current law, that would eliminate or significantly reduce the discounts, rebates, and other price concessions that we receive from suppliers or that would otherwise impact payment available for drugs under federal or state healthcare programs will not have a material adverse impact on our business, financial condition, and results of operations. The pipeline of new drugs includes many products that over the long term may replace older, more expensive therapies. As a result of such older drugs losing patent protection and being replaced by generic substitutes, new and less expensive delivery methods (such as when an infusion or injectable drug is replaced with an oral drug) or additional products may be added to a therapeutic class, thereby increasing price competition in that therapeutic category. Much of the branded and generic drug product that we dispense is manufactured in whole or in substantial part outside of the United States and imported by our suppliers. As a result, significant changes in tax or trade policies, tariffs, or trade relations between the United States and other countries, such as the imposition of unilateral tariffs on imported products, could result in significant increases in our costs, restrict our access to suppliers, depress economic activity, and have a material adverse effect on our business, financial condition, and results of operations. In addition, other countries may change their business and trade policies and such changes, as well as any negative sentiments towards the United States in response to increased import tariffs and other changes in U.S. trade regulations, could adversely affect our businesses.

We rely on a combination of intellectual property laws, internal procedures, and nondisclosure agreements to protect our intellectual property and proprietary rights. We believe our trademarks are valuable assets. However, our intellectual property rights may not be sufficient to distinguish our services from those of our competitors and to provide us with a competitive advantage. For example, from time to time, third parties may use names, logos, and slogans similar to ours, may apply to register trademarks or domain names similar to ours, and may infringe or otherwise violate our intellectual property rights. Our intellectual property rights may not be successfully asserted against such third parties or may be invalidated, circumvented, or challenged. Asserting or defending our intellectual property rights could be time consuming and costly and could distract management's attention and resources. If we are unable to prevent our competitors from using names, logos, slogans, and domain names similar to ours, consumer confusion could result, the perception of our brands and services could be negatively affected, and our revenue and profitability could suffer as a result. Failure to protect our intellectual property and proprietary rights could have an adverse effect on our business.

In the ordinary course of our business, we collect, process, use, transmit, share, disclose, create, receive, maintain, transmit, and store, or collectively, Process, personal information (which may also be referred to as personal data, personally identifiable information, and/or non-public personal information), including protected health information, or PHI, relating to our patients, employees, referral sources, payors, and others. We also Process, and contract with third-party service providers to Process, other sensitive, confidential, and/or proprietary information. We use third-party service providers for important aspects of the Processing of personal information and other confidential and sensitive data and information, and therefore rely on third parties to manage functions that have material cybersecurity risks. Because of the sensitivity of such personal information and other sensitive data and information that we and our service providers Process, the security of our technology platform and other aspects of our services, including those provided or facilitated by our third-party service providers, are critical to our operations and business strategy. Our patients, employees, payors, and referral sources have a high expectation that we will adequately protect their information, including personal information, from cyberattacks or other security breaches, and may have claims against us if we are unable to do so. We may also have exposure to regulatory investigations and other compliance risks in the event of a cyberattack or other security breach. We have been, and are currently, subject to HHS investigations with respect to data privacy and security incidents involving PHI. There can be no assurance that we will not be subject to such HHS investigations or investigations by other governmental or regulatory authorities in the future, including those that may have a material impact on our business. Any delay in identifying such breaches or incidents or in providing timely reports or notification of such incidents may lead to increased harm and increased penalties or other actions, such as measures required as part of any resolution or settlement agreement. Our patients, employees, payors, and referral sources may have contractual rights of indemnification against us in the event that their personal or proprietary business information is accessed, acquired, disclosed, lost, used or compromised as a result of a breach of our information systems. In such an event, these parties may also seek to terminate our contracts with them. Our systems and those of our third-party service providers and business partners may be vulnerable to, and have experienced, data or security breaches, cyberattacks (including ransomware), acts of vandalism, computer viruses, misplaced or lost data, human errors, or other similar events. While we have safeguards in place designed to defend our systems against intrusions and attacks and to protect our data, we cannot be certain that these measures are sufficient to counter all current and emerging technology threats. If unauthorized parties gain access to our networks or data, or those of our employees, third-party service providers or business partners, they may be able to access, steal, publish, delete, use in an unauthorized manner or modify confidential and sensitive information, including personal information, PHI, trade secrets or other confidential information, intellectual property, and proprietary business information. In addition, employees may intentionally or inadvertently cause data or security breaches that result in destruction, loss, alteration, unauthorized disclosure of, or access to such information. Further, the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and are often difficult to detect. Threats to our systems and associated third-party systems can originate from human error, fraud, or malice on the part of employees or third parties or simply from accidental technological failure. Computer viruses and other malware can be distributed and could infiltrate our systems or those of associated third parties. Because the techniques used to circumvent security systems can be highly sophisticated, change frequently, are often not detected until launched against a target and may originate from less regulated and remote areas around the world, we, and our third-party service providers, may be unable to effectively detect or proactively address all possible techniques, implement adequate preventive measures for all situations or respond to any breach or security incident. The administrative, physical, and technological safeguards we or our third-party service providers implement to address these risks may not address applicable laws and regulations or address situations that could lead to increased privacy or security risks. The businesses we have acquired, or may acquire in the future, may not have in place all of the required safeguards and may have experienced breaches or security incidents. It may take significant time and expense to integrate such businesses to our policies and procedures. To the extent we terminate contracts with our third-party service providers, we may not be able to ensure that the relevant personal information of our patients and employees is maintained in compliance with the required safeguards. In the normal course of business, we are and have been the target of malicious cyberattack attempts and have experienced ransomware attacks and other security incidents that have disrupted our operations. For example, in March 2023, we experienced a ransomware attack that resulted in a breach of more than 6 million individuals' personal information (including PHI). While we do not currently expect this incident to have a material impact on our business, we notified the impacted individuals and applicable regulators and are currently subject to a HHS Office for Civil Rights investigation, various state regulatory investigations, and various lawsuits in connection with this incident. There can be no assurance that any present or future cyberattacks will not be material or significant. Any such cyberattack or threat, including those that result in data or security breaches, could result in costly investigations, litigation, government enforcement actions, civil or criminal penalties, fines, operational changes or other response measures, loss of patient and customer confidence in our security measures, loss of business partners, and negative publicity that could adversely affect our brand, reputation, business, financial condition, and results of operations. In particular, any such interruption in access, compromise, use, improper access, acquisition, disclosure or other loss of information, including personal information or PHI, could result in legal claims or proceedings and/or liability or penalties under laws and regulations that protect the privacy, confidentiality, or security of personal information, including the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 and other laws, and implementing regulations, or collectively, HIPAA, the FTCA, the California Consumer Privacy Act, or CCPA, as amended by the California Privacy Rights Act of 2020, or CPRA, and its implementing regulations, and other state data privacy, security, consumer health data, or consumer protection laws, including state breach notification laws. These laws often provide for civil penalties for violations, as well as a private right of action for data breaches that may increase data breach litigation. Any delay in identifying such breaches or incidents or in providing timely notification of such incidents may lead to increased harm and increased penalties. For further information, see "-Risks Related to Our Regulatory Framework-If we are found to have violated HIPAA, or any other applicable privacy and security laws and regulations, as well as contractual obligations, we could be subject to sanctions, fines, damages, and other additional civil or criminal penalties, which could increase our liabilities, harm our reputation, and have a material adverse effect on our business, financial condition, and results of operation." In addition, denial of service or other cyberattacks could be launched against us for a variety of purposes, including to interfere with our services or create a diversion for other malicious activities. Our defensive measures may not prevent unplanned downtime, or the unauthorized access, acquisition, disclosure, or use of confidential, sensitive data, and/or personal information. We may be required to expend significant capital and other resources to protect against security breaches, to safeguard the privacy, security, and confidentiality of personal information and other sensitive data and information, to investigate, contain, remediate, and mitigate actual or potential security breaches and security incidents, and/or to report security breaches and security incidents to patients, customers, employees, regulators, media, credit bureaus, and other third parties in accordance with applicable law and to offer complimentary credit monitoring, identity theft protection, and similar services where required by law or otherwise appropriate. While we maintain cyber errors and omissions insurance coverage that covers certain aspects of cyber risks, these losses may not be adequately covered by insurance or other contractual rights available to us. We may also be subject to potential increases in insurance premiums, resulting in increased costs or loss of revenue, and such insurance coverage may not continue to be available to us in adequate amounts or on satisfactory terms, if at all.

Our business is highly dependent on maintaining effective and secure information systems, including those maintained by us and those maintained and provided by third-party service providers (for example, "software-as-a-service" and cloud solutions), as well as the integrity and timeliness of the data we use to serve our patients, support employees and operate our business. Our business also supports the use of electronic visit verification, or EVV, to collect visit submission information such as service type, visit start time and end time, and care plan tasks for our home and community-based care services. We use mobile devices to capture time in and time out, mileage and travel time, as well as the completed care plan tasks with client verification. Our ability to effectively manage our business and coordinate the provision and billing of our services and prompt, accurate documentation of the care and services we provide depends significantly on the reliability and capacity of these systems. We rely on these providers to provide continual operation, as well as maintenance, enhancements, and security of any protected and/or confidential data (including personal information). To the extent that our EVV and other vendors fail to support these processes, our internal operations could be negatively affected. Our systems, and those of our third-party service providers, are vulnerable to damages, failures, malfunctions, outages or other interruptions which could be caused by a number of factors such as power outages or damages, telecommunications problems, data corruption, software errors, human error, computer viruses, defects and other errors, physical or electronic break-ins, theft, design defects, network failures, security breaches, cyberattacks, acts of war or terrorist attacks, fire, flood, and natural disasters. A system failure, outage or other interruption may also cause the corruption or loss of important, confidential, and/or protected data (including personal information). See "-Risks Related to Our Regulatory Framework-If we are found to have violated HIPAA, or any other applicable privacy and security laws and regulations, as well as contractual obligations, we could be subject to sanctions, fines, damages, and other additional civil or criminal penalties, which could increase our liabilities, harm our reputation, and have a material adverse effect on our business, financial condition, and results of operation." Furthermore, our third-party providers' existing safety systems, data backup, access protection, user management, information technology emergency planning, and other security measures may not be sufficient to prevent data loss or long-term network outages. In addition, we may have to upgrade our existing information technology systems from time to time in order for such systems to withstand the increasing needs of our expanding business. We rely on certain hardware, telecommunications, and software vendors to maintain and periodically upgrade many of these systems so that we can continue to support our business. Costs and potential problems and interruptions associated with the implementation of new or upgraded systems and technology or with maintenance or adequate support of existing systems could disrupt or reduce the efficiency of our operations. Further, upgrading and expanding our information technology infrastructure could require significant investment of additional resources and capital, which may not always be available or available on favorable terms. We also depend on our information technology staff. If we cannot meet our staffing needs in this area, we may not be able to fulfill our technology initiatives while continuing to provide maintenance on existing systems. Any material disruption, outage or slowdown of our systems or those of our third-party providers, including those caused by our or their failure to successfully upgrade our or their systems, and our or their inability to convert to alternate systems in an efficient and timely manner could have a material adverse effect on our business, financial condition, and results of operations. Additionally, operations that we acquire must be integrated into our various information systems in an efficient and effective manner. For certain aspects, we rely upon third-party service providers to assist us with those activities. If we are unable to integrate and transition any acquired business into our information systems, due to our failures or any failure of our third-party service providers, we could incur unanticipated expenses, suffer disruptions in service, experience regulatory issues, and lose revenue from the operation of such business.