was filed with the SEC on February 28, 2020:
The Company faces risks related to unauthorized disclosure of sensitive or confidential member and other protected personal or health information.
As part of its normal operations, the Company collects, processes and retains confidential member and protected personal or health information making the Company subject to various federal and state laws and rules regarding the use and disclosure of confidential member and protected personal or health information, including HIPAA. The Company also maintains other confidential information related to its business and operations. Despite our security measures, the Company is subject to security breaches, acts of vandalism, computer viruses, misplaced or lost data, programming and/or human errors or other similar events. For example, we have experienced data security breaches resulting in disclosure of confidential or protected personal or health information. Noncompliance with any privacy or security laws and regulations (including, but not limited to, state and federal laws and international regulations, such as GDPR) or any security incident or breach, whether by the Company or by its vendors, could result in enforcement actions, material fines and penalties, reputational and financial harm to the Company, and could also subject the Company to litigation.
IT Systems – The Company’s ability to effectively maintain and upgrade its information systems is critical to its business.
The Company’s operations are dependent on effective information systems. Our information systems require routine maintenance, enhancements and upgrades in order to meet operational needs and regulatory requirements. The maintenance, upgrade and enhancement of our information systems requires significant economic resources. If the Company encounters difficulties in its information systems, or with the transition to or from its information systems, or does not appropriately maintain, enhance and upgrade its information systems, such events could adversely impact the Company’s operations materially. In addition, our ability to manage effectively our information systems could be impacted by events outside of our control, including acts of nature, such as floods, earthquakes, fires, pandemics, or acts of terrorism or war.
Cyber-Security—The Company faces risks related to a breach or failure in our operational security systems or infrastructure, or those of third parties with which we do business.
Our business requires us to securely store, process and transmit confidential, proprietary and other information in our operations, including protected personal or health information. Security incidents or breaches may arise from, among other things, computer hackers penetrating our systems or approaching our employees to obtain personal information for financial gain, attempting to cause harm to our operations, or intending to obtain competitive, confidential or protected personal or health information. It is widely reported that the healthcare industry, including providers, plans and pharmacies, are increasingly prime targets for cyber-attacks. Our data assets and systems continue to be subject to attack by viruses, worms, phishing attempts and other malicious software programs on a regular basis, and we routinely identify attempts to gain unauthorized access to our systems.
We maintain a comprehensive system of preventive and detective controls through our security programs; however given the rapidly evolving nature and proliferation of cyber threats, our controls may not prevent or identify all such attacks in a timely manner or otherwise prevent unauthorized access to, damage to, or interruption of our systems and operations, and we cannot eliminate the risk of human error or employee or vendor malfeasance. For example, we were the target of a criminal ransomware attack on our computer network recently, which resulted in a temporary systems outage and the exfiltration of certain confidential company and personal information as well as protected health information of certain members. We are investigating the incident with forensic experts, notifying our customers, employees, impacted individuals, and appropriate government agencies, as applicable, and working with law enforcement authorities.
Any costs that we incur as a result of a data security incident or breach, including costs to update our security protocols to mitigate such an incident or breach could be significant. Any breach or failure in our operational security systems can result in loss of data or an unauthorized disclosure of or access to sensitive or confidential member or protected personal or health information and could result in significant penalties or fines, litigation, loss of customers, significant damage to our reputation and business, and other losses, which could adversely impact the Company’s financial condition and results of operations materially.