Lifestance Health Group (LFST) Risk Analysis

The privacy and security of PII stored, maintained, received or transmitted electronically is a major issue in the United States. While we strive to comply with all applicable privacy and security laws and regulations, as well as our own posted privacy policies, legal standards for privacy, including but not limited to "unfairness" and "deception," as enforced by the Federal Trade Commission and state attorneys general and comprehensive privacy laws in more than a dozen states, continue to evolve and any failure or perceived failure to comply may result in proceedings or actions against us by government entities or others, or could cause us to lose customers, which could have a material adverse effect on our business. Recently, there has been an increase in public awareness of privacy issues in the wake of revelations about the activities of various government agencies and in the number of private privacy-related lawsuits filed against companies. Any allegations about us, our supported practices or our supported clinicians with regard to the collection, processing, use, disclosure, or security of PII or other privacy-related matters, even if unfounded and even if we are in compliance with applicable laws, could damage our reputation and harm our business. We also publish statements to our patients and stakeholders that describe how we handle and protect personal information. If federal or state regulatory authorities or private litigants consider any portion of these statements to be deceptive or misleading, either by what was said or what is omitted, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims and complying with regulatory or court orders. Numerous foreign, federal and state laws and regulations govern collection, dissemination, use and confidentiality of personally identifiable health information, including state privacy and confidentiality laws (including state laws requiring disclosure of breaches) and HIPAA. HIPAA establishes a set of basic national privacy and security standards for the protection of PHI, by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services, which includes us. Certain of our entities and supported practices are covered entities, while our management service entities are business associates. HIPAA requires covered entities and business associates to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. HIPAA imposes mandatory penalties for certain violations. Penalties for violations of HIPAA and its implementing regulations include civil monetary penalties of up to $68,928 per violation, not to exceed $2,067,813 for violations of the same standard in a single calendar year (as of 2023, and subject to periodic adjustments for inflation). However, a single breach incident can result in violations of multiple standards, which could result in significant fines. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA may face a criminal penalty of up to $50,000 and up to one-year of imprisonment. The criminal penalties increase if the wrongful conduct involves false pretenses or the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm, with a maximum fine of $250,000 and maximum imprisonment of ten years. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Any such penalties or lawsuits could harm our business, financial condition, results of operations and prospects. In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA covered entities or business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the Civil Monetary Penalty fine paid by the violator. HIPAA further requires that patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public website. Breaches affecting 500 patients or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. Further, the HHS OCR published a proposed rule in January of 2021, which, among other things calls for greater care coordination and an individual's rights to access patient records. The proposed rule specifically encourages the disclosure of PHI when needed to help individuals experiencing substance use disorder, serious mental illness and in emergency circumstances. The proposed rule is subject to a regulatory suspension announced by the Biden administration and we do not know when (or if) the final rule will be published or whether there may be additional changes to the regulations, but when it is, we will need to evaluate and potentially update our HIPAA regulatory programs and documentation to ensure compliance with such requirements. HHS OCR additionally issued a proposed rule in April of 2023 to modify existing standards permitting uses and disclosures of PHI when the PHI pertains to reproductive healthcare, which is defined broadly. Additionally, tracking technologies generally used to collect and analyze information about user behavior and enhance the user experience may qualify as HIPAA violations and result in sanction. In December 2022, OCR issued a bulletin titled, "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates," which sets forth broad-reaching guidance for HIPAA covered entities and their business associates that utilize online tracking technologies on their webpages and applications. In the guidance, OCR takes the position that when individuals use regulated entities' websites, the individual information gleaned from that use (including IP address, geographic location, or other unique identifying code) may include PHI, and such information cannot be disclosed to a tracking vendor in a manner that would constitute an impermissible disclosure under HIPAA (e.g., disclosure without a valid HIPAA authorization or business associate agreement ("BAA")) or any other violations of HIPAA. See "-Risks Related to Our Business and Our Industry-Litigation, including in connection with commercial disputes or employment claims, against us could be costly and time-consuming to defend." We may also be required to comply with the Federal Substance Abuse Confidentiality Regulations, known as 42 C.F.R. Part 2. In July 2020, new regulations overhauled these laws to better align with HIPAA and to facilitate better coordination of care in response to the opioid epidemic. On December 2, 2022, HHS OCR published a proposed rule containing proposals to implement the CARES Act provisions, which bring Part 2 in alignment with HIPAA including, among other things, expanding the scope of permitted disclosures of substance use disorder treatment records and applying HIPAA's breach notification standards to breaches of records protected by Part 2. Notice of Privacy Practices and arrangements with business associates and qualified service organizations will also need to be adjusted accordingly. The Final Rule, which was published in February 2024, aligned Part 2 penalties with civil and criminal enforcement authorities that apply to HIPAA violations. Under the Final Rule, the penalties for Part 2 violations have increased, rising from up to $5,000 for individuals and $10,000 for organizations on a per-violation basis to a $50,000 maximum penalty for failure to comply with the Part 2 requirements and a $250,000 maximum penalty for wrongful disclosure of individually identifiable health information. Additional changes in the Final Rule further harmonize Part 2 with HIPAA and include aligning data breach notification protocols with the HIPAA Breach Notification Rule; allowing single consents for disclosures related to treatment, payment and healthcare operations; and aligning Part 2 Patient Notice requirements with requirements of the HIPAA Notice of Privacy Practices. We will have until February 2026 to comply. Further, the U.S. federal government and various states and governmental agencies have adopted or are considering adopting various laws, regulations and standards regarding the collection, use, retention, security, disclosure, transfer and other processing of sensitive and personal information. For example, California implemented the California Confidentiality of Medical Information Act, which imposes restrictive requirements regulating the use and disclosure of health information and other personally identifiable information. These laws and regulations are not necessarily preempted by HIPAA, particularly if a state affords greater protection to individuals than HIPAA. Where state laws are more protective, we have to comply with the stricter provisions. In addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. California has also implemented the California Consumer Privacy Act ("CCPA"), which came into effect on January 1, 2020, which increases privacy rights for California residents and imposes obligations on companies that process their personal information. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and provide such consumers new data protection and privacy rights, including the ability to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. The CCPA has been amended from time to time, and it is possible that further amendments will be enacted, but even in its current format remains unclear how various provisions of the CCPA will be interpreted and enforced. Additionally, the recently passed California Privacy Rights Act ("CPRA") has significantly modified the CCPA, including expanding consumers' rights with respect to certain sensitive personal information, and creating a new state agency that is vested with authority to implement and enforce the CCPA and CPRA. The majority of the CPRA provisions went into effect on January 1, 2023, with some requirements applying to data collected beginning January 1, 2022. The CPRA significantly expanded the CCPA's data protection obligations. Failure to comply with CCPA or CPRA could result in penalties for noncompliance of up to $7,500 per violation. More than a dozen other states have now passed comprehensive privacy laws that will come into effect at various times over the next few years. We will need to continue to evaluate our privacy program as the implementation of the law evolves and may need to make further modifications to our programs, which, if we fail to do so as required, may expose us to liability under the regulation. When we implement new systems and/or upgrade existing systems used to store PII, we could be exposed to increased risk of data security breaches and failures. There are many other state-based data privacy and security laws and regulations that may impact our business. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects and could restrict the way services involving data are offered, all of which may adversely affect our results of operations. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. State laws are changing rapidly and there is discussion in Congress of a new federal data protection and privacy law to which we may be subject. The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our clients and potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify. Changes in laws or regulations associated with the enhanced protection of certain types of sensitive data, such as PHI or PII, along with increased customer demands for enhanced data security infrastructure, could greatly increase our cost of providing our services, decrease demand for our services, reduce our revenue and/or subject us to additional liabilities. In addition to the applicable federal and state laws, we are also subject to PCI DSS, a self-regulatory standard that requires companies that process payment card data to implement certain data security measures. If we or our payment processor fail to comply with the PCI DSS, we may incur significant fines or liability and lose access to major payment card systems. Our systems are subject to annual review under the PCI DSS requirements, and we have historically had, may now have, and may have in the future have items that require improvement. Industry groups may in the future adopt additional self-regulatory standards by which we are legally or contractually bound. Because of the breadth of these laws and the narrowness of their exceptions and safe harbors, it is possible that our business activities can be subject to challenge under one or more of such laws. The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment of healthcare reform. Federal, state and foreign enforcement bodies have recently increased their scrutiny of interactions between healthcare companies and healthcare providers, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Any such investigations, prosecutions, convictions or settlements could result in significant financial penalties, damage to our brand and reputation, and a loss of customers, any of which could have an adverse effect on our business.

We believe that developing and maintaining widespread awareness of our brand and maintaining our reputation for delivering high-quality care to patients is important to attract new patients and clinicians and maintain existing patients and clinicians. In addition, we have a growing number of strategic relationships with primary care and other specialist physician partners to develop our integrated care model and referral networks. Market acceptance of our services and patient acquisition depends on educating people, as well as payors and partners, as to the distinct features, ease-of-use, positive lifestyle impact, efficacy, quality and other perceived benefits of our platform as compared to alternatives. In particular, market acceptance is dependent on our ability to sufficiently saturate a particular geographic area to deliver care to local patients. The level of saturation required depends on the needs of the local market and the preferences of the patients in that market. Further, we rely on referrals and placed advertisements to spread brand awareness. Referrals are dependent on patients relaying positive experiences with our services and clinicians. If we are not successful in demonstrating to existing and potential patients, clinicians and payors the benefits of our platform, if we are not able to sufficiently saturate a market in convenient locations for patients, or if we are not able to achieve the support of payors and physician partners for our model and services, we could experience lower than expected patient retention. Further, the loss or dissatisfaction of patients or clinicians may substantially harm our brand and reputation, inhibit widespread adoption of our services, reduce our revenue, and impair our ability to attract or retain patients and clinicians. Our brand promotion activities may not generate awareness or increase revenue and, even if they do, any increase in revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, we may fail to attract or retain patients, clinicians, payors and physician partners necessary to realize a sufficient return on our brand-building efforts or to achieve the widespread brand awareness we seek.

Our business involves the storage and transmission of proprietary information and sensitive or confidential data, including personal information of employees and others, as well as the PHI of our patients. Several laws and regulations require us to keep this information secure. Because of the extreme sensitivity of the information we store and transmit, the security features of our and our third-party vendors' computer, network and communications systems infrastructure are critical to the success of our business. Our security features and processes or our vetting and oversight of third parties and related hardware and software may not be sufficient for all circumstances. We also exercise limited control over third-party vendors and their computer systems and choice of software, which increases our vulnerability to problems with the technology and information services they provide. Determined threat actors would likely be able to penetrate our security or the security of our vendors with enough skills, resources, and time, and they may evade detection for extended periods of time. A breach or failure of our or our third-party vendors' network, hosted service providers or vendor systems could result from a variety of circumstances and events, including third-party action, employee negligence or error, malfeasance, computer viruses, cyber-attacks by computer hackers such as denial-of-service and phishing attacks, nation-state attacks, political protests, failures during the process of upgrading or replacing software and databases, power outages, hardware failures, telecommunication failures, software errors or incompatibility, user errors or catastrophic events. Information security risks have generally increased in recent years because of the proliferation of new technologies and the increased sophistication and activities of perpetrators of cyber-attacks. We are also dependent on a technology supply chain that involves many third parties, some of whom may not be known to us, and each of these companies may also be a source of potential risk to our patients, operations and reputation. Hackers and data thieves are increasingly sophisticated and operating large-scale and complex automated attacks, including on companies within the healthcare industry. As cyber threats continue to evolve, we and our third-party vendors may be unable to anticipate all potential threats. We may be required to expend additional resources to further enhance our information security measures and/or to investigate and remediate any information security vulnerabilities. If our or our third-party vendors' security measures fail or are breached, it could result in unauthorized persons accessing sensitive patient data (including PHI), a loss of or damage to our data, or an inability to access data sources, process data or provide our services to our patients. A security incident may even remain undetected for an extended period, and we or our third-party vendors may be unable to anticipate such threats and attacks or implement adequate preventive measures. For example, in February 2024, UnitedHealth Group announced that its Change Healthcare information technology systems was being taken offline for an undefined period, which could harm our operations, including our ability to process insurance claims, collect payments and confirm insurance eligibility of patients, and the ability of third-party pharmacies to fill electronic prescriptions our clinicians may write for patients. Such failures or breaches of our or our third-party vendors' security measures, or our or our third-party vendors' inability to effectively resolve such failures or breaches in a timely manner, could severely damage our reputation, adversely affect patient, provider or investor confidence in us, and reduce the demand for our services from existing and potential patients. In addition, we could face litigation, damages for contract breach, monetary penalties or regulatory actions for violation of applicable laws or regulations, and incur significant costs to comply with applicable data breach notification laws and to implement remedial measures to prevent future occurrences and mitigate past violations. Although we maintain insurance covering certain security and privacy damages and related expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational damage that could result from a security incident. Our Board of Directors is briefed periodically on cybersecurity and risk management issues and we have implemented a number of processes to avoid cyber threats and to protect privacy. However, the processes we have implemented in connection with such initiatives may be insufficient to prevent or detect improper access to confidential, proprietary or sensitive data, including personal data. In addition, the competition for talent in the data privacy and cybersecurity space is intense, and we may be unable to hire, develop or retain suitable talent capable of adequately detecting, mitigating or remediating these risks. Our failure to adhere to, or successfully implement processes in response to, evolving cybersecurity threats and changing legal or regulatory requirements in this area could result in legal liability or damage to our reputation in the marketplace. Should an attacker gain access to our network or the network of our third-party vendor, including by way of example, using compromised credentials of an authorized user, we are at risk that the attacker might successfully leverage that access to compromise additional systems and data. Certain measures that could increase the security of our systems, such as data encryption (including data at rest encryption), heightened monitoring and logging, scanning for source code errors or deployment of multi-factor authentication, take significant time and resources to deploy broadly, and such measures may not be deployed in a timely manner or be effective against an attack. As cybersecurity threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. The inability to implement, maintain and upgrade adequate safeguards could have a material adverse effect on our business. Our information systems must be continually updated, patched and upgraded to protect against known vulnerabilities. The volume of new vulnerabilities has increased markedly, as has the criticality of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be continuously addressed. Accordingly, we are at risk that cyber-attackers exploit these known vulnerabilities before they have been addressed. Due to the systems and platforms that we operate, the increased frequency at which vendors are issuing security patches to their products, the need to test patches and, in some cases, coordinate with clients and vendors, before they can be deployed, we continuously face the substantial risk that we cannot deploy patches in a timely manner. These risks can be heightened as we acquire and work to integrate additional centers. We are also dependent on third-party vendors to keep their systems patched and secure in order to protect our information systems and data. Any failure related to these activities and any breach of our information systems could result in significant liability and have a material adverse effect on our business, reputation and financial condition.

Our business is dependent on maintaining effective information systems as well as the integrity and timeliness of the data we use to serve our patients, support our clinicians and payor partners and operate our business. Because of the large amount of data that we collect and manage, it is possible that hardware failures or errors in our systems could result in data loss or corruption or cause the information that we collect to be incomplete or contain inaccuracies that our partners regard as significant. If our data were found to be inaccurate or unreliable due to fraud or other error, or if we, or any of the third-party vendors we engage, were to fail to maintain information systems and data integrity effectively, we could experience operational disruptions that may impact our patients and clinicians and hinder our ability to provide care to patients, retain and attract patients, establish reserves, report financial results timely and accurately and maintain regulatory compliance, among other things. Furthermore, as we implement new systems and/or upgrade existing systems, we increase our risk of temporary or prolonged disruptions that could adversely affect our business and we are exposed to increased risk of cybersecurity breaches and failures. Our information technology strategy and execution are critical to our continued success. We must continue to invest in long-term solutions that will enable us to anticipate patient needs and expectations, enhance the patient experience, act as a differentiator in the market, protect against rapidly changing cybersecurity risks and threats, and keep pace with evolving privacy and security laws, requirements and regulations, including changes in payment regimes such as the PCI DSS. Our success is dependent, in large part, on maintaining the effectiveness of existing technology systems and continuing to deliver and enhance technology systems that support our business processes in a cost-efficient and resource-efficient manner. We have identified certain weaknesses with respect to our IT function. See "-Risks Related to Our Common Stock-We have identified material weaknesses in our internal control over financial reporting and may identify additional material weaknesses in the future or fail to maintain an effective system of internal control over financial reporting. If our remediation of the material weaknesses is not effective, or we fail to develop and maintain effective internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired, which could harm our business and negatively impact the value of our common stock." Increasing regulatory and legislative changes place additional demands on our information technology infrastructure that could have a direct impact on resources available for other projects tied to our strategic initiatives for our technology platform. In addition, recent trends toward greater patient engagement in healthcare require new and enhanced technologies, including more sophisticated applications for mobile devices. Connectivity among technologies is becoming increasingly important. We and our third-party vendors must also develop new systems to meet current market standards and keep pace with continuing changes in information processing technology, evolving industry and regulatory standards and patient needs. Failure to do so may present compliance challenges and impede our ability to deliver care to patients in a competitive manner. Further, because system development projects are long-term in nature, they may be more costly than expected to complete and may not deliver the expected benefits upon completion. Additional development projects may be needed or arise in the future and we may not have the necessary resources to complete such development projects. Further, the technological advances of our competitors or future competitors may result in our technologies or future technologies become uncompetitive or obsolete. Our failure to effectively invest in, implement improvements to and properly maintain the uninterrupted operation and data integrity of our information technology and other business systems could adversely affect our results of operations, financial condition and cash flow. Similarly, if our third party vendors fail to effectively invest in, implement improvements to and properly maintain the uninterrupted operation and data integrity of their own information technology systems, interruptions in their systems or network may result in disruptions of our own systems and business operations.

We may be adversely affected by patients' unwillingness to pay for treatment by our clinicians. Higher numbers of unemployed individuals generally translate into more individuals without healthcare insurance to help pay for services, thereby increasing the potential for persons to elect not to seek treatment if they cannot afford to self-pay. Growth of patient receivables or deterioration in the ability to collect on these accounts, due to changes in economic conditions or otherwise, could have an adverse effect on our business, results of operations and financial condition. In addition, patients with high deductible insurance plans may be less likely to seek treatment as a result of higher expected out-of-pocket costs.

Our centers may be harmed or rendered inoperable by natural or man-made disasters, including earthquakes, power outages, fires, floods, nuclear disasters and acts of terrorism or other criminal activities, which make it difficult or impossible for us to operate our business for some period of time. Although we deliver care in both in-person and digital settings, such disruptions in our operations could negatively impact our business and results of operations and harm our reputation. Although we maintain an insurance policy covering damage to property we lease, such insurance may not be sufficient to compensate for losses that may occur. Any such losses or damages could harm our business, financial condition and results of operations. In addition, our physician partners' facilities may be harmed or rendered inoperable by such natural or man-made disasters, which may cause disruptions, difficulties or other negative effects on our business and operations, with respect to our integrated care model.