NeueHealth Inc (NEUE) Risk Factors

As of December 31, 2023, we had outstanding net operating losses ("NOLs") of approximately $2.5 billion, which are available to reduce future taxable income. Our carryforwards are subject to review and possible adjustment by the appropriate taxing authorities. In addition, the carryforwards that may be utilized in a future period may be subject to limitations based upon changes in the ownership of our stock in a future period. In general, under Section 382 of the Internal Revenue Code of 1986, as amended, and corresponding provisions of state law, a corporation that undergoes an "ownership change," generally defined as a greater than 50 percentage point change (by value) in its equity ownership by certain stockholders over a three year period, is subject to limitations on its ability to utilize its pre-change NOLs, research and development tax credit carryforwards and disallowed interest expense carryforwards to offset future taxable income.

We are subject to numerous state and federal laws and regulations that govern the Processing, security, retention, destruction, confidentiality, availability and integrity of PII, including PHI. These laws and regulations include HIPAA and the CCPA. HIPAA establishes a set of basic national privacy and security standards for the protection of PHI by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, which includes us, and the business associates with whom such covered entities contract for services, which also includes us. HIPAA requires healthcare plans and providers?-?and until our insurance plans are fully run-out, we are both?-?to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. Penalties for failure to comply with a requirement of HIPAA vary significantly depending on the nature of violation and could include civil monetary or criminal penalties. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts are able to award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. HIPAA further requires that individuals be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. Numerous other federal and state laws protect the processing, security, retention, destruction, confidentiality, availability and integrity of, and may otherwise limit and restrict how we can use, PII, including PHI. These laws in many cases are more restrictive than, and may not be preempted by, the HIPAA rules and may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our care partners and business associates and potentially exposing us to additional expense, adverse publicity and liability. Recently, several states have enacted broadly applicable laws to protect the privacy of personal health information. These laws generally require consent for the collection, use or sharing of any "consumer health data", which is defined as personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health. At the federal level, various bills have been introduced in congress seeking to establish a comprehensive privacy regime including many of the concepts found in other state and federal privacy bills/laws, such as consent requirements for sensitive data, data subject rights, and privacy policy requirements. Such laws may have potentially conflicting requirements that would make compliance challenging. Such changes may also require us to modify our services and features and may limit our ability to develop new services and features that make use of the data that we collect about our consumers. We anticipate federal and state regulators to continue to enact legislation related to privacy and cyber security. New health information standards, whether implemented pursuant to HIPAA, state or federal legislative action or otherwise, could have a significant effect on the manner in which we must handle healthcare-related data, and the cost of complying with standards could be significant. If we do not comply with existing or new laws and regulations related to PHI, we could be subject to criminal or civil sanctions. We also publish privacy statements to our consumers that describe how we handle and protect PII. Any failure or perceived failure by us to maintain posted privacy policies which are accurate, comprehensive and fully implemented, and any violation or perceived violation of our privacy-, data protection- or information security-related obligations to providers, consumers or other third parties could result in claims of deceptive practices brought against our Company, which could lead to significant liabilities and consequences, including, without limitation, governmental investigations or enforcement actions, costs of responding to investigations, defending against litigation, settling claims, complying with resolution, monitoring or other agreements, civil penalties, and complying with regulatory or court orders. Such liabilities and consequences could have material impacts on our revenue and operations. Furthermore, the FTC and many state attorneys general continue to enforce federal and state consumer protection, health breach notification, and other laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. For example, the FTC has taken enforcement actions based on disclosures of health information to third parties, the failure to limit third-party use of health information, the failure to implement policies and procedures to prevent improper or unauthorized disclosures of health information, and the failure to provide notice and obtain consent before the use and disclosure of health information for advertising. For information that is not subject to HIPAA and deemed to be "personal health records", the FTC may also impose penalties for violations of the HBNR to the extent we are considered a "personal health record-related entity" or "third party service provider." There are a number of legislative proposals in the United States, at both the federal and state level, that could impose new obligations. We cannot yet determine the impact that future laws, regulations and standards may have on our business.

The care delivery markets are highly competitive. Competitors across the markets in which we compete are subject to dynamic regulatory requirements and industry expectations, emerging new product and service offerings, and constantly evolving consumer preferences and demands. Our principal competitors for consumers and payor contracts vary considerably in type and identity by market. Our business currently operates medical groups and competes with other medical groups in the same localities. We also compete with MSOs, IPAs and other organizational entities aggregating and enabling providers to deliver primary care services under value-based care arrangements. These competitors include companies such as Agilon Health, Cano Health, ChenMed, Iora Health, OptumHealth, and VillageMD. In addition, our business participates in the Medicare Shared Savings Program and other government programs designed to bring value-based care to fee-for-service Medicare beneficiaries, and our business competes with other participants in such programs. Many of our competitors have longer operating histories; greater brand recognition; stronger, more developed, and more extensive networks of physicians and other care providers; significantly greater financial, technical, marketing, and other resources; lower labor and development costs due to economies of scale; greater access to healthcare data; and larger membership bases, than we do. These competitors may engage in more extensive research and development efforts; undertake broader, more expensive, and more powerful marketing campaigns; and adopt more aggressive pricing or payment policies, each of which may enable them to build membership faster than us and to establish a larger patient base more quickly than us. Our competitors may also provide more differentiated products or services to their clients. Furthermore, the healthcare industry in the United States has experienced a substantial amount of consolidation. If our competitors were to be acquired by third parties with greater resources, such as, for example, Oak Street Health's acquisition by CVS Health, these competitive risks could intensify, and we may face significant challenges in markets that have experienced significant competitor consolidation. In addition, other companies may enter our markets in the future, or other markets, services or products we choose to enter or be in at the time. We do not believe the barriers to enter our markets are substantial, and new competitors with comparable, better, or differentiated healthcare products or services may emerge, or competitors may develop new approaches to value-based care, which could put us at a competitive disadvantage. One of the key factors on which we compete for our consumers, especially in uncertain economic environments, is overall cost. If we are unable to compete effectively with our current and potential competitors for market share, we may also see a reduction in the demand for our services. Any of the foregoing could materially and adversely affect our business, results of operations and financial condition.

The lives served by NeueHealth are concentrated in Florida and Texas. Unfavorable changes in the regulatory environment for healthcare, unforeseen changes affecting the cost of living, other benefit costs, inflation (including wage inflation), reimbursement rates or increased competition in these states or any other geographic area where our membership becomes concentrated in the future could therefore have a disproportionately adverse effect on our operating results.

Developing strong brand recognition and maintaining and enhancing our reputation is critical to maintaining our existing relationships and to our ability to attract new consumers, partners and other constituents to our platform. After exiting the health insurance business, we adopted NeueHealth as our corporate brand name. Promoting our new brand requires substantial investments and we anticipate that, as our market remains increasingly competitive, our marketing initiatives may become increasingly expensive and challenging to successfully implement. Attempts to grow our brand and investments in marketing our platform may not be successful or yield increased revenue as we expect, and even if these activities result in increased revenue, the increased revenue may not offset the expenses we incur to achieve such results. In addition, much of our marketing efforts to date have been limited to certain geographic regions and markets where our business operates to ensure an efficient use of resources. If we expand, we will need to spend additional resources to build strong national brand recognition and there can be no assurance that our efforts will be effective. If we do not successfully develop widespread brand recognition and maintain and enhance our reputation, our business may not grow and we could lose our existing relationships, which could harm our business, financial condition and results of operations.

In the ordinary course of our business, we create, receive, collect, maintain, store, use, process, transmit and disclose ("Process") sensitive data, including PHI, and other types of personal data, personal information or personally identifiable information protected by various laws and regulations (collectively, "PII"). We also use third-party service providers to Process PHI, PII, sensitive information and other confidential information, including that of our consumers and service providers. We manage and maintain our technology platform and data using a combination of on-site systems, managed data center systems and cloud-based systems. Because of the sensitivity of the PHI, other PII and other confidential information we and our consumers and service providers process, the security of our technology platform and other aspects of our services, including those provided or facilitated by our third-party service providers, are critically important to our operations and business strategy. The operation, stability, integrity and availability of our technology platform and underlying network infrastructure are critical to the implementation of our business strategy, our financial results, our brand and reputation, our relationship with our care partners, consumers, network providers, broker network, third-party providers and other key constituents. Any system failure, including network, software or hardware failure, that causes an interruption in our network or a decrease in the responsiveness of our technology platform could result in dissatisfaction and a loss of trust with those constituents and adversely impact our business and reputation. Although we have redundancies in place that will permit us to respond, at least to some degree, to service outages, it could take significant time to have all systems fully operational and our third-party cloud providers are also subject to vulnerabilities. Security incidents and breaches of our infrastructure or our third-party service providers' infrastructure, including physical or electronic break-ins, computer viruses, ransomware, or other malware, employee or contractor error or malfeasance, can disrupt or shut down our systems, or allow unauthorized access to, or misuse, disclosure, modifications or loss of confidential information, PHI, and other PII, and result in a material adverse impact to our results of operations and business, including our ability to collect payments, process claims, and confirm patient information. Such breaches could result in legal claims or proceedings, liability under laws and regulations that protect the privacy of PHI or other PII, such as HIPAA, the CCPA, and other state and federal laws and regulations. We may also be required to notify government authorities, individuals, the media, and other third parties in connection with a security incident or breach involving PHI or other PII, and could become subject to investigations, consent decrees, resolution agreements, monitoring and similar agreements, and civil penalties. We require business associates and other outsourcing subcontractors who handle consumer and patient information to enter into business associate agreements, if applicable, and to agree to use reasonable efforts to safeguard PHI, other PII and other sensitive information. However, these measures may not adequately protect us from the risks associated with the Processing of such information. In addition, breaches of our security systems or those systems used by our third-party service providers or other cyber security incidents could also result in the misappropriation of confidential or proprietary information of ourselves, our consumers, our patients, or other third parties; viruses, spyware, ransomware or other malware being served from our network, platform or systems; the deletion or modification of content or the display of unauthorized content on our platform; the loss of access to critical data or systems through ransomware, destructive attacks or other means; and business delays, service or system disruptions such as denials of service attacks. In 2023, certain of our vendors experienced data security incidents. Upon learning of each such incident, we promptly took steps to cut off access to any of our systems that connected to any systems of such vendor, and took other preventative measures, such as supplementing existing security monitoring, scanning and protective measures, as appropriate. These vendors notified appropriate governmental authorities and impacted parties and individuals, as required. While we did not suffer any material adverse impact as a result of any of these incidents, we may incur significant costs to address or prevent future incidents, implement remedial measures, mitigate violations, and address reputational damage. We cannot guarantee that our recovery protocols and backup systems or those of our third-party service providers will be sufficient to prevent data loss now or in the future, or that our remedies against third-party service providers will be sufficient to protect us in the event a service provider suffers a security breach or similar incident. If we and our third-party service providers are not or are perceived to not be able to prevent such security breaches or privacy violations or implement acceptable remedial measures, we and our third-party service providers may be unable to operate our platform, perform our services, provide consumer assistance services, maintain accurate patient medical records, conduct research and development activities, collect, process and prepare company financial information, or provide information about our current and future services. There can be no assurance that we or our third-party service providers will be able to prevent a security incident or that any future incidents will not have a more significant impact on our operations. There is an increased risk that we may experience cyber security-related events such as phishing attacks and other security challenges as a result of our employees and service providers working remotely from non-corporate-managed networks during the ongoing pandemic and beyond. Any future such breaches and violations may result in litigation, fines and penalties, require us to comply with breach notification laws, require us to verify the accuracy of database contents, and expose us to material operating expenses related to investigation, remediation and resolution of claims, all of which could result in increased costs. As a result, we could suffer a loss of business and we may suffer reputational harm, adverse impacts on consumer and investor confidence and negative impact to our results of operations.

We rely on a number of third parties to perform certain operational functions and services for us, as well as to support our technology platform and our general services and administration functions. The continued growth of our business will depend, in part, on the ability of these third parties to perform their contractual obligations and our ability to achieve and maintain successful business relationships with these third parties. These third parties include but are not limited to: - Cloud service providers and internet infrastructure service providers. We rely on cloud service providers and other service providers to host certain aspects of our IT infrastructure. We do not control the operation of our cloud service providers' infrastructure or the facilities where their servers are located. The level of service provided by cloud service providers or managed data center providers could affect the availability or speed of our platform, which may also impact the usage of, and our consumers', care partners' and other constituents' satisfaction with, our platform and could seriously harm our business and reputation. We also cannot guarantee that the contractual remedies we may have in place with these service providers would be sufficient to cover our losses. - Software providers. We utilize and integrate software licensed from third parties. However, it is possible that this software may not continue to be available on commercially reasonable terms, or at all. Any loss of the right to use any of this software could result in delays in the provisioning of our services until equivalent technology is either developed by us, or, if available, is identified, obtained and integrated. We also cannot guarantee that the contractual remedies we may have in place with such software providers will adequately protect us in the event such software is modified in a manner such that it can no longer be integrated with our own systems and networks, or if such software includes viruses, malware, other corruptants, or security vulnerabilities that impact our own systems and networks. While we have entered into agreements with these third-party service providers, they have no obligation to renew their agreements on similar terms or on terms that we find commercially reasonable, or at all. Identifying replacement third-party service providers, and negotiating agreements with them, requires significant time and resources. If any one of our material third-party service providers' abilities to perform their obligations were impaired, we may not be able to find an alternative supplier in a timely manner or on acceptable financial terms, and we may not be able to meet the full demands of our consumers and care partners within the time periods expected, or at all. While we believe we will be able to insource the responsibilities of many of our third-party service providers in the future, there can be no assurance that we will be able to do so in a manner that enables us to meet the demands of our consumers and care partners. In addition, any shift in business strategy, corporate reorganization, or financial difficulties faced by our third-party providers, such as bankruptcy, may have negative effects on our ability to execute our business strategy. If our third-party providers are unable to keep up with our growing needs for capacity, it could have an adverse effect on our business and reputation, cause us to lose consumers or harm our ability to maintain and grow our other businesses. In the event we make any material changes to our third-party service providers due to changes in our business needs or otherwise, such as mid-year changes or efforts to insource currently outsourced services, we may experience significant operational and service disruptions. In addition, we may not be able to ensure that our third-party providers perform in accordance with agreed upon, regulated and expected standards, and we could be held accountable for their failure to do so which may subject us to fines or other sanctions or otherwise materially negatively impact our business and results of operations. See "- We are subject to inspections, reviews, audits and investigations under federal and state government programs and contracts. The results of such audits could adversely and negatively affect our business, including our results of operations, liquidity, financial condition and reputation." Any termination of our agreements with, or disruption in the performance of, one or more of these service providers could result in service disruption or unavailability, and harm our ability to continue to develop, maintain and improve our service offerings. This could reduce our ability to attract care partners, increase our medical costs, hinder expansion of our business, and result in an inability to meet our obligations or require us to seek alternative service providers on less favorable contract terms, any of which could adversely affect our business, brand, reputation or operating results. Further, the transition of our business model over the last two years has subjected us to an increased number of disputes with service providers, and we expect to continue to be subject to several of these disputes while we are in transition. We cannot guarantee we will resolve these disputes favorably, which could materially negatively impact our business, results of operations, financial condition and cash flows.

Our managed and affiliated medical groups and MSOs negotiate agreements with third-party payors for which some of our entities serve as RBOs. Our RBOs manage the medical costs and quality metrics on behalf of such payors and are at financial risk for the performance of those payors' medical costs for consumers attributed to our RBOs. Our ability to manage the financial risk depends on our ability to achieve quality targets and to accurately estimate and manage medical costs, and these estimates contain inherent uncertainties and assumptions, which depend on various factors outside of our control, as described above. Additionally, third-party payors may modify their product mix, benefit designs, or member mix in ways that could limit the ability of our RBOs to effectively manage the financial performance under our risk arrangements. Our failure to effectively drive quality outcomes, optimize financial performance, or manage medical cost spend could negatively impact the profitability and marketability of our business.

In recent years, our business has been and may continue to be affected by various factors and events that are beyond our control. The United States has experienced economic downturns and market volatility, and domestic and worldwide economic conditions remain uncertain. It may be extremely difficult for us, our care partners and our other key constituents to accurately plan future business activities and execute on our business objectives as a result of economic uncertainty and other macroeconomic factors. In addition, global economic conditions and economic uncertainty may cause our consumers to slow spending or care partners to cease partnering with our business, which could ultimately harm our business. Furthermore, during uncertain economic times our consumers may face challenges or delays in obtaining access to funds used to make payments. In addition, our business relies on third parties, and we are susceptible to risks related to the potential financial instability of such third parties, including vendors that provide services to us or to whom we delegate certain functions. If these third-party vendors cease to do business as a result of broader economic conditions or if they become unable to provide us with the level of service we expect, we may not be able to find an alternative service provider in a timely manner, or on acceptable financial terms, which could impact our ability to meet the expectations and needs of our consumers. We cannot predict the timing, severity or duration of any economic slowdown or the strength or speed of any subsequent recovery generally. If the conditions in the general economy and the markets in which we operate worsen from present levels, our business, financial condition and results of operations could be materially adversely affected.