Alignment Healthcare (ALHC) Risk Analysis

As described above, because of regulations preventing the corporate practice of medicine, certain of our associated physician practice groups that operate our clinics are wholly owned or primarily owned by physicians employed by us. Although we retain certain rights regarding the succession of ownership of the associated practices through succession agreements and other arrangements with their physician equity holders, if current owners died, were incapacitated or otherwise were no longer affiliated with us, there could be a material adverse effect on the relationship between us and the associated physician practices and, therefore, our business operations could be adversely affected.

Our success requires that we maintain and grow our provider networks and contract with providers and medical facilities in new markets in order to meet CMS requirements relating to network adequacy. We contract with a variety of physicians, nurses, hospitals, clinics and other third-party providers to deliver healthcare and related services to our members. Our plans encourage or require our customers to use these contracted providers. A key component of our integrated care delivery strategy is to increase the number of providers who share medical cost risk with us or have financial incentives to deliver high quality medical services in a cost-effective manner. In order to retain our members and attract additional membership, our provider networks, including those physicians participating in Medicare and willing to see our patients but with whom we have not contracted, must be not only adequate, but attractive, providing Medicare-eligible beneficiaries access to the providers and facilities that they want. In any particular market, providers could refuse to contract with us, demand higher payments, or take other actions that could result in higher healthcare costs for us, less desirable outcomes for members or difficulty meeting regulatory or accreditation requirements, including network adequacy requirements. In some markets, certain providers, particularly hospitals, physician specialty groups, physician/hospital organizations, or multi-specialty physician groups, may have significant market positions and negotiating power. In addition, physician or practice management companies, which aggregate physician practices for administrative efficiency and marketing leverage, may compete with us in certain circumstances. If these providers refuse to contract with us, use their market position to negotiate unfavorable contracts with us or place us at a competitive disadvantage, or do not enter into contracts with us that encourage the delivery of quality medical services in a cost-effective manner, our ability to market products or to be profitable in those areas may be adversely affected. In some situations, we have capitation contracts with individual or groups of primary care providers and specialists for an actuarially determined, fixed fee per month to provide a basket of required medical services to our members. The inability of providers to properly manage costs under these capitation arrangements could result in the financial instability of these providers and the termination of their relationship with us. In addition, payment or other disputes between a primary care provider and specialists with whom the primary care provider contracts could result in a disruption in the provision of services to our members or a reduction in the services available to our members. The financial instability or failure of a primary care provider to pay other providers for whom they have taken professional risk for services rendered could lead those other providers to demand payment from us even though we have made our regular fixed payments to the primary care provider. Providers with whom we contract may not properly manage the costs of services, maintain financial solvency or avoid disputes with other providers. Even if we contract with sufficient numbers of providers in our markets, we may be required, from time to time, to work with providers with whom we do not contract and who are not included in our networks. This can increase our medical costs, as there is no pre-negotiated rate that we pay the provider and no incentive for the provider to control costs. Our ability to develop and maintain satisfactory relationships with providers and facilities may also be negatively impacted by factors not associated with us, such as changes in Medicare programs and other pressures on healthcare providers, including consolidation activity among hospitals, physician groups, and other healthcare providers. We may be unable to contract with new providers, facilities and other entities in our current markets or new markets in which we enter or renew any contracts we maintain with existing providers or facilities on favorable terms, if at all. If we are unable to enter into new contracts or maintain contracts with providers or facilities in certain markets, we may be unable to meet network adequacy requirements, which would prevent us from serving such markets and could have a material adverse effect on our business, financial condition and results of operations.

Our MA plans are operated through regulated insurance subsidiaries in various states. These subsidiaries are subject to state regulations that, among other things, require the maintenance of minimum levels of statutory capital or tangible net equity, as defined by each state. The states in which our subsidiaries operate regulate the payment of dividends, loans, administrative expense reimbursements or other cash transfers to us, and limit investments to approved securities. The amount of dividends that may be paid to us by these insurance subsidiaries, without prior approval by state regulatory authorities, or ordinary dividends, is limited based on the entity's level of statutory income and statutory capital and surplus. In some states, prior notification is provided before paying a dividend even if approval is not required. Actual dividends paid may vary due to consideration of excess statutory capital and surplus and expected future surplus requirements. We continue to maintain our levels of aggregate excess statutory capital and surplus in our state-regulated operating subsidiaries. Dividends from our non-insurance companies are generally not restricted by governmental departments of insurance. In the event that our subsidiaries are unable to provide sufficient capital to fund our obligations and allow us to pursue our objectives, our results of operations, financial position, and cash flows may be materially adversely affected.

We use a substantial portion of our revenues to pay the costs of healthcare services delivered to our members by third-party providers. These costs include claims payments, capitation payments to providers (predetermined amounts paid to cover services), administrative costs and various other costs incurred to provide health insurance coverage to our members. These costs also include estimates of future payments to hospitals and other providers for medical care provided to our members. Generally, premiums in the healthcare business are fixed for one-year periods and we are required by federal law to spend a fixed amount of these premiums on healthcare services, covered benefits and quality improvement efforts. Accordingly, costs we incur in excess of our benefit cost projections generally are not recovered in the contract year through higher premiums and our ability to enhance the profitability of our plans depends in significant part on our ability to estimate the costs of our future benefit claims and other expenses. We make these estimates using actuarial methods and assumptions based upon claim payment patterns, medical inflation, historical developments, including claim inventory levels and claim receipt patterns, and other relevant factors. We also record benefits payable for future payments. We continually review estimates of future payments relating to benefit claims costs for services incurred in the current and prior periods and make necessary adjustments to our reserves, including premium deficiency reserves where appropriate. However, these estimates involve extensive judgment and have considerable inherent variability that is sensitive to claim payment patterns and medical cost trends. Many factors may and often do cause actual healthcare costs to exceed what was estimated and used to set our premiums. These factors may include: - increased use of medical facilities and services;- increased cost of such services;- increased use or cost of prescription drugs, including specialty prescription drugs;- the introduction of new or costly treatments, including new technologies;- the extent to which providers in our network follow appropriate care recommendations and carry out effective care coordination and care management;- our membership mix;- the extent to which members decline to seek out appropriate preventative care or follow their physicians' care and healthful living recommendations;- variances in actual versus estimated levels of cost associated with new products, benefits or lines of business, product changes or benefit level changes;- changes in the demographic characteristics of an account or market;- changes or reductions of our utilization management functions such as preauthorization of services, concurrent review or requirements for physician referrals;- catastrophes, including acts of terrorism, public health epidemics, or severe weather (e.g., hurricanes and earthquakes), which may increase both use and cost of medical services and cause members to delay obtaining services, affecting their long-term health;- medical cost inflation; and - government mandated benefits, member eligibility criteria, or other legislative, judicial, or regulatory changes. Key to our operational strategy is the implementation of clinical initiatives that we believe provide a better healthcare experience for our members, lower the cost of healthcare services delivered to our members, and appropriately document the risk profile of our members. Our profitability and competitiveness depend in large part on our ability to leverage our technology platform, AVA, to optimize and appropriately manage healthcare costs by, among other things, proactively managing member care. Increases or decreases in staff and provider-related expenses, any costs associated with exiting products, additional investment in new products and in the expansion of clinical and technological capabilities as part of our integrated care delivery model, investments in health and well-being product offerings, acquisitions, new taxes and assessments, and implementation of regulatory requirements may increase our operating expenses. Any failure to adequately price our products or estimate sufficient benefits payable or effectively manage our operating expenses may result in a material adverse effect on our results of operations, financial position, and cash flows. Premium increases, introduction of new product designs, and our relationships with our providers in various markets, among other issues, could also affect our membership levels. Other actions that could affect membership levels include our possible exit from or entrance into markets, or the termination of a large contract. If we do not compete effectively in our markets, if we set rates too high or too low in highly competitive markets to keep or increase our market share, if membership does not increase as we expect, if membership declines, or if we lose membership with favorable medical cost experience while retaining or increasing membership with unfavorable medical cost experience, our results of operations, financial position, and cash flows may be materially adversely affected.

Our commercial success depends on our ability to develop and commercialize our products and services and use our internally developed technology without infringing the intellectual property or proprietary rights of third parties. Intellectual property disputes can be costly to defend and may cause our business, operating results and financial condition to suffer. As the market for healthcare in the United States expands and more patents are issued, the risk increases that there may be patents issued to third parties that relate to our technology of which we are not aware or that we must challenge in order to continue our operations as currently or in the future contemplated. Whether merited or not, we may face allegations that we, our partners or parties indemnified by us have infringed, misappropriated or otherwise violated the patents, trademarks, copyrights, trade secrets or other intellectual property rights of third parties. Such claims may be made by competitors seeking to obtain a competitive advantage or by other parties. Additionally, in recent years, individuals and groups have begun purchasing intellectual property assets for the purpose of making such claims and attempting to extract settlements from companies like ours. We may also face allegations that our employees have misappropriated the trade secrets or other intellectual property or proprietary rights of their former employers or other third parties. It may be necessary for us to initiate litigation to defend ourselves in order to determine the scope, enforceability, validity or ownership of third-party intellectual property or proprietary rights, or to establish our respective rights. We may not be able to successfully settle or otherwise resolve such adversarial proceedings or litigation. If we are unable to successfully settle future claims on terms acceptable to us we may be required to engage in or to continue claims, regardless of whether such claims have merit, that can be time-consuming, divert management's attention and financial resources and be costly to evaluate and defend. Results of any such litigation are difficult to predict and may require us to stop commercializing or using our technology, obtain licenses, modify our services and technology while we develop non-infringing substitutes or incur substantial damages, settlement costs or face a temporary or permanent injunction prohibiting us from marketing or providing the affected products and services. If we require a third-party license, it may not be available on reasonable terms or at all, and we may have to pay substantial royalties and upfront or ongoing fees, or grant cross-licenses to our own intellectual property rights. Such licenses may also be non-exclusive, which could allow competitors and other parties to use the subject technology in competition with us. We may also have to redesign our services so they do not infringe, misappropriate or otherwise violate third-party intellectual property rights, which may not be possible or may require substantial monetary expenditures and time, during which our technology may not be available for commercialization or use. Even if we have an agreement to indemnify us against such costs, the indemnifying party may be unable to uphold its contractual obligations. If we cannot or do not obtain a third-party license to the infringed technology at all, license the technology on reasonable terms or obtain similar technology from another source, our revenue and earnings could be adversely impacted. From time to time, we may be subject to legal proceedings and claims in the ordinary course of business with respect to intellectual property. Some third parties may be able to sustain the costs of complex litigation more effectively than we can because they have substantially greater resources. Even if resolved in our favor, litigation or other legal proceedings relating to intellectual property claims may cause us to incur significant expenses, and could distract our technical and management personnel from their normal responsibilities. In addition, there could be public announcements of the results of hearings, motions or other interim proceedings or developments, and if securities analysts or investors perceive these results to be negative, it could have a material adverse effect on the price of our common stock. Moreover, any uncertainties resulting from the initiation and continuation of any legal proceedings could have a material adverse effect on our ability to raise the funds necessary to continue our operations. Any of the foregoing could have a material adverse effect on our business, financial condition and results of operations.

We may use open-source software in connection with our services. Companies that incorporate open-source software into their technologies have, from time to time, faced claims challenging the use of open-source software and/or compliance with open-source license terms. As a result, we could be subject to suits by parties claiming ownership of what we believe to be open-source software or claiming noncompliance with open-source licensing terms. Some open-source software licenses require users who distribute software containing open-source software to publicly disclose all or part of the source code to such software and/or make available any derivative works of the open-source code, which could include valuable proprietary code of the user, on unfavorable terms or at no cost. While we monitor the use of open-source software and try to ensure that none is used in a manner that would require us to disclose our internally developed source code, including that of our AVA platform, or that would otherwise breach the terms of an open-source agreement, such use could inadvertently occur, in part because open-source license terms are often ambiguous. In addition to risks related to license requirements, use of certain open-source software can lead to greater risks than use of third-party commercial software, as open-source licensors generally do not provide warranties or controls on the origin of software which, thus, may contain security vulnerabilities, such as the Log4j vulnerability in November 2021, or infringing or broken code. Any requirement to publicly disclose our internally developed source code or pay damages for breach of contract could have a material adverse effect on our business, financial condition and results of operations and could help our competitors develop services that are similar to or better than ours.

A substantial portion of our revenue is driven by CMS payments in connection with our health plans in California, North Carolina, Nevada, Arizona and Texas, with over 94% of our members concentrated in California as of December 31, 2024. As a result, our exposure to many of the risks described herein is not mitigated by a diversification of geographic focus. Unfavorable changes in healthcare or other benefit costs or reimbursement rates or increased competition in these areas or any other geographic area where our membership becomes concentrated in the future could therefore have a disproportionately adverse effect on our operating results. Furthermore, due to the concentration of our operations in these states and in California in particular, our business may be adversely affected by economic, health or other conditions that disproportionately affect these states as compared to other states (e.g., outbreaks of infectious disease) or by natural disasters such as major earthquake, wildfire or hurricane. Any of these factors could have a significant impact on the health of a large number of our covered members, access to care may be more difficult and proposed responses, including telehealth, may not be available. Moreover, regulatory changes undertaken in response to such events could require us to cover health care costs for members for which we would not typically be responsible. To continue to diversify our operations we will have to expand to other regions of the United States, which will require us to devote resources to identifying and exploring such perceived opportunities. We may not be able to continue to successfully expand our operations in any new geographic markets and so we may remain subject to the risks presented by our geographic concentration.

Our provider network includes key contracts with certain large independent physician associations ("IPAs"), hospitals and other provider networks, which are critical to serving our membership base. Although we typically seek to enter into contracts spanning three or more years, after a specified period, certain of these contracts, including existing contracts with some of our largest IPA partners, hospitals or other providers, may terminate by their own terms or through notice of non-renewal. In the ordinary course of business, including in connection with renewals or extensions of these agreements, we engage in active discussions and renegotiations with these counterparties in respect of the solutions we provide and the terms of our agreements. The loss of any of our largest IPA partnerships, hospitals or other provider networks or the renegotiation of any of these contracts could adversely affect our results of operations, as this may alter the attractiveness of our provider network, result in more out-of-network claims costs and/or increase the payments we make to these counterparties.

We believe that maintaining and enhancing our reputation and brand recognition is critical to our relationships with both members and providers and to our ability to attract new members. The promotion of our brand may require us to make substantial investments and we anticipate that, as our market becomes increasingly competitive, these marketing initiatives may become increasingly difficult and expensive. Moreover, our current marketing efforts to date have been limited to certain geographic regions and markets where our business operates to facilitate the efficient use of resources. If we grow nationally, we will need to spend additional resources to build strong national brand recognition and our efforts may not be effective. Our marketing activities may not be successful or yield increased revenue, and to the extent that these activities yield increased revenue, the increased revenue may not offset the expenses we incur and our results of operations could be harmed. Any factor that diminishes our reputation or that of our management, including failing to meet the expectations of or provide quality service to our members, or any adverse publicity or litigation involving or surrounding us or our management, could make it substantially more difficult for us to attract new members and retain existing members. Similarly, because our existing members often act as references for us with prospective new members, any existing member that questions the quality of our care could impair our ability to secure additional new members. In addition, negative publicity resulting from any adverse government audit could injure our reputation. If we do not successfully maintain and enhance our reputation and brand recognition, our business may not grow and we could lose our relationships with members or providers, which would harm our business, results of operations and financial condition. The registered or unregistered trademarks or trade names that we own may be challenged, infringed, circumvented, diluted, declared generic, lapsed or determined to be infringing on or dilutive of other marks. We may not be able to protect our rights in these trademarks and trade names, which we need in order to build name recognition with members, providers and other partners. In addition, third parties may in the future file for registration of trademarks similar or identical to our trademarks. If they succeed in registering or developing common law rights in such trademarks, and if we are not successful in challenging such third-party rights, we may not be able to use these trademarks to commercialize our technologies in certain relevant jurisdictions. If we are unable to establish name recognition based on our trademarks and trade names, we may not be able to compete effectively and our brand recognition, reputation and results of operations may be adversely affected.

The Health Care Reform Law and Other Current or Future Legislative, Judicial or Regulatory Changes The Patient Protection and Affordable Care Act and The Health Care and Education Reconciliation Act of 2010 (which we collectively refer to as the "Health Care Reform Law") enacted significant reforms to various aspects of the U.S. health insurance industry. Certain significant provisions of the Health Care Reform Law include, among others, mandated coverage requirements, mandated benefits and guarantee issuance associated with commercial medical insurance, rebates to policyholders based on minimum benefit ratios, adjustments to Medicare Advantage premiums, the establishment of federally facilitated or state-based exchanges coupled with programs designed to spread risk among insurers, and the introduction of plan designs based on set actuarial values. Some of these changes impact us and other entities that offer Medicate Advantage plans. It is reasonably possible that the Health Care Reform Law and related regulations, as well as other current or future legislative, judicial or regulatory changes, including restrictions on our ability to manage our provider network or otherwise operate our business, or restrictions on profitability, including reviews by regulatory bodies that may compare the profitability of various products within our Medicare Advantage business and require that they remain within certain ranges of each other, increases in member benefits or changes to member eligibility criteria without corresponding increases in premium payments to us, may have a material adverse effect on our results of operations (including restricting revenue, enrollment and premium growth in certain products and market segments, restricting our ability to expand into new markets, increasing our medical and operating costs, further lowering our payment rates and increasing our expenses associated with assessments), our financial position and our cash flows. Additionally, potential legislative changes or judicial determinations, including activities to repeal or replace the Health Care Reform Law or declare all or certain portions of the Health Care Reform Law unconstitutional, creates uncertainty for our business, and we cannot predict when, or in what form, such legislative changes or judicial determinations may occur. Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act and Other Laws, Rules and Regulations Related to Data Privacy We are subject to data privacy and protection laws and regulations that apply to the collection, transmission, storage and use of PHI and other PII, which among other things, impose certain requirements relating to the privacy, security and transmission of PII. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues with the potential to affect our business. Failure to comply with any of these laws and regulations could result in enforcement action against us, including fines, public censure, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects. Ongoing efforts to comply with evolving laws and regulations may be costly and require ongoing modifications to our policies, procedures and systems. The use of individually identifiable health data by our business is regulated at federal and state levels. These laws and rules are changed frequently by legislation or administrative interpretation. Various state laws address the use and maintenance of PII. Among these state laws, which we describe in more detail below, we are most substantially affected by the California Consumer Privacy Act, which uniquely among general consumer privacy laws did not exempt employee information, business contact information, and only maintains narrow exemptions for data subject to HIPAA or the Gramm-Leach-Bliley Act. We may need to change the way we create, receive, maintain or transmit PII to comply with these state laws. HIPAA includes administrative provisions directed at simplifying electronic data interchange through standardizing transactions, establishing uniform healthcare provider, payer, and employer identifiers, and establishing regulations aimed at protecting confidentiality and security of patient and member data. The rules preempt all inconsistent state laws unless the state law is more privacy-protective. These regulations, in addition to other state laws, set standards for the security of electronic health information, including requirements that insurers provide customers with notice regarding how their PHI is used. Compliance with HIPAA regulations requires us to regularly monitor security risk, implement and regularly review administrative, technical and physical safeguards to protect electronic health information, and provide workforce training, among other administrative efforts. HIPAA can also expose us to additional liability for violations by our business associates (e.g., entities that provide services to health plans and providers). The US Department of Health and Human Services, Office for Civil Rights announced on December 27, 2024, and published in the Federal Register on January 6, 2025, a Notice of Proposed Rulemaking proposing extensive modifications to the HIPAA security standards. If finalized, these modifications could entail significant additional compliance obligations and costs for HIPAA-regulated covered entities and business associates. HIPAA imposes mandatory penalties for certain violations. In 2024, penalties for violations of HIPAA and its implementing regulations started at $141 per violation and could not exceed approximately $71,162 per violation, subject to a cap of approximately $2.1 million for violations of the same standard in a single calendar year. However, a single breach incident can result in violations of multiple standards. Additionally, the penalty amounts listed above are also due for inflation adjustments in 2025. HIPAA also authorizes state attorneys general to file suit on behalf of their residents for statutory damages of up to $25,000. While HIPAA does not create a private right of action allowing individuals to sue in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. HIPAA further requires that members be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public website. Breaches affecting more than 500 patients in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. We also publish statements to our members and partners that describe how we handle and protect PHI. If federal or state regulatory authorities or private litigants consider any portion of these statements to be untrue, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims, and complying with regulatory or court orders. Any of the foregoing consequences could have a material adverse impact on our business and our financial results. Data privacy and security at the state level remains an evolving landscape. For example, CCPA, which came into effect on January 1, 2020, requires companies that process information on California residents to make disclosures to consumers about their data collection, use and sharing practices, allow consumers to opt out of certain data sharing with third parties and provides a cause of action for data breaches. In addition, on November 3, 2020, California voters approved amendments to the CCPA, known as the CPRA, which significantly modifies the CCPA, including by expanding consumers' rights with respect to certain personal information and creating a state agency, the California Privacy Protection Agency ("CPPA"), to oversee implementation and enforcement efforts. The CPPA is able to finance operations through penalties issued and with the CPRA's removal of the mandatory cure period from CCPA, we will have less warning before compliance risk results in legal action. The CPRA's amendments became effective on January 1, 2023. The CCPA contains exemptions for medical information governed by the California Confidentiality of Medical Information Act, and for PHI collected by a covered entity or business associate governed by the privacy, security, and breach notification rule established pursuant to HIPAA. The CPPA has released for public comment draft regulations on risk assessments, cybersecurity assessments, and automated decision-making technologies, which close on February 19, 2025. These regulations are the final components of the CPRA's amendments to the CCPA, which granted the CPPA the authority to pass additional regulations. These regulations in their draft form contain substantial new compliance obligations with respect to PII we process. The CCPA has prompted a number of proposals for new federal and state-level privacy legislation. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. For example, the Virginia Consumer Data Protection Act, which became effective January 1, 2023, gives Virginia residents expanded rights to access and creates additional obligations on companies covered by the legislation, and the Nevada Privacy Law, which became effective on October 1, 2019, requires businesses to give website users the option to opt-out of the sale of their data, but is otherwise significantly more narrow than the other laws mentioned. As of February 1, 2025, general State privacy laws are in effect in California, Colorado, Connecticut, Utah, Texas, Oregon, Virginia, Montana, New Jersey, Delaware, Iowa, Nebraska, and New Hampshire. Additional general state privacy laws have been passed and will go into effect in 2025 in Tennessee, Minnesota, and Maryland, and in 2026, in Indiana, Kentucky, and Rhode Island. While the CPRA/CCPA is an example of consumer privacy law, the NAIC's Model Insurance Data Security Law (the "Model law") is a different type of law focused on securing insurance licensees' information systems. Versions of this Model Law have been passed in many states and are expected to be passed in more states in the coming years. Similar to HIPAA, the Model Law requires the implementation of technical, administrative, and procedural information security practices and procedures and includes reporting requirements for data breaches. These Model Laws exist in a majority of states and are typically enforced by state insurance regulators. It is possible that applicable laws may be interpreted and applied in a manner that is inconsistent with our practices and our efforts to comply with the evolving data protection rules may be unsuccessful. We must devote significant resources to understanding and complying with this changing landscape. Failure to comply with laws regarding privacy and security of PHI and other PII could expose us to penalties under such laws. Any such failure to comply with data protection and privacy laws could result in government-imposed fines or orders requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement action, litigation and significant costs for remediation, any of which could adversely affect our business. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could have an adverse effect on our business, financial condition and results of operations. As indicated above, there are numerous federal and state laws and regulations addressing patient and consumer privacy concerns, including notification requirements in the event of unauthorized access or theft of personal information. State statutes and regulations vary from state to state. Violations of HIPAA or applicable federal or state laws or regulations could subject us to significant criminal or civil penalties, including significant monetary penalties. We cannot yet fully determine the impact these or future laws, rules, regulations and industry standards may have on our business or operations. Any such laws, rules, regulations and industry standards may be inconsistent among different jurisdictions, subject to differing interpretations or may conflict with our current or future practices. Additionally, our customers may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Adherence to such contractual requirements may impact our collection, use, processing, storage, sharing and disclosure of various types of information and may mean we become bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules and regulations evolve. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. These changes may in turn impair our ability to offer our existing or planned features, products and services and/or increase our cost of doing business. As we expand our customer base, these requirements may vary from customer to customer, further increasing the cost of compliance and doing business. Our business and operations may also be subject to federal, state, and local consumer protection laws governing marketing communications, including the Telephone Consumer Protection Act, "TCPA", which places restrictions on the use of automated tools and technologies to communicate with wireless telephone subscribers or communications services consumers generally and the CAN-SPAM Act, which regulates the transmission of marketing emails. Under the TCPA, entities using an automatic telephone dialing system to send communications must obtain prior express consent for non-marketing communications and prior express written consent for marketing communications. The TCPA has a private right of action, allowing individuals who have received unsolicited communications (phone calls, text messages or faxes) made using an "automatic telephone dialing system" to seek statutory damages of $500 per violation, or $1,500 if the violation was made willfully or knowingly. Despite our compliance efforts, we could nevertheless be forced to defend private class actions or government enforcement based on the communications we send to members. In addition, certain of our businesses are also subject to the PCI DSS, which is a multifaceted industry security standard that is designed to protect credit card account data as mandated by payment brands and acquiring banks. We rely on vendors to assist us with PCI matters and to ensure PCI compliance. Despite our compliance efforts, we may become subject to claims that we have violated the PCI DSS or other requirements of the payment card brands, based on past, present, or future business practices, which could have an adverse impact on our business and reputation, subject us to fines and/or have a negative impact on our ability to accept credit card payments. As described above, substantially all of our relevant member data is maintained on our technology platform, AVA, which aggregates and provides us with access to extensive member datasets, including individually identifiable PHI. As a result, any breach of our technology platform could expose us to substantial liability under HIPAA, the HITECH Act and other applicable laws, regulations or rules. See "Risk Factors-Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or our members, or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation." Corporate Practice of Medicine and Other Laws As a corporate entity, we are not licensed to practice medicine. Many states in which we operate through our subsidiaries limit the practice of medicine to licensed individuals or professional organizations comprised of licensed individuals, and business corporations generally may not exercise control over the medical decisions of physicians. Statutes, regulations and court decisions relating to the practice of medicine, fee-splitting between physicians and referral sources, and similar issues vary widely from state to state. While we endeavor to comply with state corporate practice of medicine laws and regulations as we interpret them, the laws and regulations in these areas are complex, changing, and often subject to varying interpretations. The interpretation and enforcement of these laws vary significantly from state to state. Under business support services agreements between certain of our subsidiaries and affiliated physician-owned professional groups, these groups retain sole responsibility for all medical decisions, as well as for hiring and managing physicians and other licensed healthcare providers, developing operating policies and procedures, implementing professional standards and controls, and maintaining malpractice insurance. Regulatory authorities and other parties may assert that, despite the business support services agreements and other arrangements through which we operate, we are engaged in the prohibited corporate practice of medicine or that our arrangements constitute unlawful fee-splitting. Penalties for violations of the corporate practice of medicine or fee-splitting laws vary by state and may result in physicians being subject to disciplinary action, as well as to forfeiture of revenue from payors for services rendered. For business entities such as us, violations may also bring both civil and, in more extreme cases, criminal liability for engaging in medical practice without a license, our agreements could be found legally invalid and unenforceable (in whole or in part) or we could be required to restructure our contractual arrangements. We, our in-house and externally engaged physicians and the facilities in which they operate are subject to various federal, state and local licensing and certification laws and regulations and accreditation standards and other laws, relating to, among other things, the adequacy of medical care, equipment, privacy of member information, physician relationships, personnel and operating policies and procedures. Failure to comply with these licensing, certification and accreditation laws, regulations and standards could result in prior payments being subject to recoupment, requirements to make significant changes to our operations and can give rise to civil or, in extreme cases, criminal penalties. We routinely take the steps we believe are necessary to retain or obtain all requisite licensure and operating authorities. While we have made reasonable efforts to substantially comply with federal, state and local licensing and certification laws and regulations and standards as we interpret them, the agencies that administer these programs may find that we have failed to comply in some material respects. If this were to occur, we could be subject to civil and/or criminal penalties, or we could be required to close or limit our operations at relevant sites. In jurisdictions where the corporate practice of medicine is prohibited, we have historically operated by maintaining long-term business support contracts with multiple associated professional medical entities that are wholly owned by physicians and, in turn, employ or contract with physicians to provide those professional medical services required by our members. Under these business support services agreements, our primary operating subsidiary performs only non-medical business support services, does not represent that it offers medical services and does not exercise influence or control over the practice of medicine by the physicians or the associated physician groups. In addition to the above business support services arrangements, we have certain contractual rights relating to the orderly transfer of equity interests in our associated physician practices through succession agreements and other arrangements with their physician equity holders. Such equity interests cannot, however, be transferred to or held by us or by any non-professional medical entity. Accordingly, neither we nor our direct subsidiaries directly own any equity interests in any of our physician practices. In the event that any of the physician owners of our associated physician practices fail to comply with the business support services arrangement, if any business support services arrangement is terminated and/or we are unable to enforce our contractual rights over the orderly transfer of equity interests in any of our associated physician practices, such events could have a material adverse effect on our business, results of operations, financial condition and cash flows. It is possible that a state regulatory agency or a court could determine that our agreements with physician equity holders of our associated physician practices and the way we carry out these arrangements as described above, either independently or coupled with the business support services agreements with such associated physician practices, are in violation of prohibitions on the corporate practice of medicine. As a result, these arrangements could be deemed invalid. Such a determination could force a restructuring of our business support services arrangements with the affected practices, which might include revisions of the business support services agreements, including a modification of the services fee and/or establishing an alternative structure that would permit us to contract with a physician network without violating prohibitions on the corporate practice of medicine. Such a restructuring may not be feasible, or it may not be possible to accomplish it within a reasonable time frame without a material adverse effect on our business, results of operations, financial condition and cash flows. Additionally, a number of states have recently introduced or are planning to introduce legislation that would significantly increase the level of scrutiny that similarly structured organizations would face and could introduce additional penalties on business support services organizations similar to ours. Anti-Kickback, Physician Self-Referral and Other Fraud and Abuse Laws A federal law commonly referred to as the "Anti-Kickback Statute" prohibits the offer, payment, solicitation, or receipt of any form of remuneration to induce, or in return for, the referral of Medicare or other governmental health program patients or patient care opportunities, or in return for the purchase, lease or order of items or services that are covered by Medicare or other federal governmental health programs. Because the prohibitions contained in the Anti-Kickback Statute apply to the furnishing of items or services for which payment is made in "whole or in part," the Anti-Kickback Statute could be implicated if any portion of an item or service we provide is covered by any of the state or federal health benefit programs described above. Violation of these provisions constitutes a felony criminal offense and applicable sanctions could include exclusion from the Medicare and Medicaid programs. Section 1877 of the Social Security Act, commonly known as the "Stark Law," prohibits physicians, subject to certain exceptions described below, from referring Medicare or Medicaid patients to an entity providing "designated health services" in which the physician, or an immediate family member, has an ownership or investment interest or with which the physician, or an immediate family member, has entered into a compensation arrangement. These prohibitions, contained in the Omnibus Budget Reconciliation Act of 1993, commonly known as "Stark II," amended prior federal physician self-referral legislation known as "Stark I" by expanding the list of designated health services to a total of 11 categories. The professional groups with which we are contracted or affiliated provide one or more of these designated health services. Persons or entities found to be in violation of the Stark Law are subject to denial of payment for services furnished pursuant to an improper referral, civil monetary penalties, and exclusion from the Medicare and Medicaid programs. A federal law commonly referred to as the "False Claims Act" prohibits the submission of a false or fraudulent claim to the government for payment or approval. Qui tam relators and/or the government may take the position that we submit certain data or information that could form the basis of a claim for payment, thus subjecting us to allegations under the False Claims Act. In such events, we could be subject to treble damages and per-claim penalties. Many states also have enacted laws similar in scope and purpose to the Anti-Kickback Statute and, in more limited instances, the Stark Law, that are not limited to services for which Medicare or Medicaid payment is made. In addition, most states have statutes, regulations, or professional codes that restrict a physician from accepting various kinds of remuneration in exchange for making referrals. These laws vary from state to state and have seldom been interpreted by the courts or regulatory agencies. In states that have enacted these statutes, we believe that regulatory authorities and state courts interpreting these statutes may regard federal law under the Anti-Kickback Statute and the Stark Law as persuasive. In addition, these laws are subject to modification and changes in interpretation, and are enforced by authorities vested with broad discretion. We continually monitor developments in this area. If we or our third parties with which we contract fail to comply with these laws, or if these laws are interpreted in a manner contrary to our interpretation or are reinterpreted or amended, or if new legislation is enacted with respect to healthcare fraud and abuse, illegal remuneration, or similar issues, we may be required to restructure our affected operations to maintain compliance with applicable law and/or be subject to liability. Such restructuring may not be possible or, if possible, may have a material adverse effect on our results of operations, financial position, or cash flows. Environmental We are subject to various federal, state, and local laws and regulations relating to the protection of human health and the environment. If an environmental regulatory agency finds any of our facilities to be in violation of environmental laws, penalties and fines may be imposed for each day of violation and the affected facility could be forced to cease operations. We could also incur other significant costs, such as cleanup costs or claims by third parties, as a result of releases of hazardous substances or violations of, or other liabilities under, environmental laws. Although we believe that our environmental practices, including waste handling and disposal practices, are in material compliance with applicable laws, future claims or violations, or changes in environmental laws, could have a material adverse effect on our results of operations, financial position or cash flows. State Regulation of Insurance-Related Products Laws in each of the states in which we operate our business license and regulate entities that offer health plans to residents of that state. The products we offer are sold under licenses issued by the applicable insurance regulators. However, for entities offering Medicare Advantage plans, federal law preempts all state laws and regulations except those relating to licensing and financial solvency. With respect to state regulation of financial solvency, certain of our licensed insurance subsidiaries are subject to regulation under state insurance holding company regulations. These regulations generally require, among other things, prior approval and/or notice of certain material transactions, including dividend payments, purchases or sales of assets, intercompany agreements, and the filing of various financial and operational reports. The amount of dividends that may be paid to us by these insurance subsidiaries, without prior approval by state regulatory authorities, or ordinary dividends, is limited based on the entity's level of statutory income and statutory capital and surplus. Actual dividends paid may vary due to consideration of excess statutory capital and surplus and expected future surplus requirements. We continue to maintain our levels of aggregate excess statutory capital and surplus in our state-regulated operating subsidiaries. Dividends from our non-insurance companies are generally not restricted by departments of insurance. If any of our plans or operations are found to violate these or other applicable government laws or regulations, we could suffer severe consequences that would have a material adverse effect on our business, results of operations, financial condition, cash flows, reputation and stock price, including: - suspension or termination of one or more of our plans;- refunds of amounts received in violation of law or applicable payment program requirements dating back to the applicable statute of limitation periods;- loss of our required government certifications;- loss of our licenses required to operate our clinics and in-house care delivery programs;- criminal or civil liability, fines, damages or monetary penalties for violations of healthcare fraud and abuse laws, including the federal Anti-Kickback Statute, Stark Law and FCA, or other failures to meet regulatory requirements;- enforcement actions by governmental agencies and/or state law claims for monetary damages by members who believe their PHI has been used, disclosed or not properly safeguarded in violation of federal or state patient privacy laws, including HIPAA and the Privacy Act of 1974;- mandated changes to our practices or procedures that significantly increase operating expenses;- imposition of and compliance with corporate integrity agreements that could subject us to ongoing audits and reporting requirements as well as increased scrutiny of our billing and business practices which could lead to potential fines, among other things;- termination of various relationships and/or contracts related to our business, including joint venture arrangements, medical director agreements, real estate leases and consulting agreements with physicians; and - harm to our reputation which could negatively impact our business relationships, affect our ability to attract and retain members and physicians, affect our ability to obtain financing and decrease access to new business opportunities, our ability to develop relationships with providers, among other things.

There can be no assurance that future tax law changes will not increase the rate of the corporate income tax significantly, impose new limitations on deductions, credits or other tax benefits, or make other changes that may adversely affect our business, cash flows or financial performance. Executive or Congressional actions could materially increase our tax obligations and significantly impact our effective tax rate in the period such guidance is issued or such actions take effect, and in future periods. In addition, it may be the case that the Internal Revenue Service (the "Service") has yet to issue guidance on a number of important issues regarding the changes made by recent or future legislation. In the absence of such guidance, we may take positions with respect to a number of unsettled issues. There is no assurance that the Service or a court will agree with the positions taken by us, in which case tax penalties and interest may be imposed that could adversely affect our business, cash flows or financial performance.

The Inflation Reduction Act of 2022 ("IRA"), signed into law on August 16, 2022, reflects an ongoing effort to control prescription drug costs and reduce spending by the federal government. The IRA contains several provisions that impact the Part D program and that may influence our benefit design and profitability. For example, beginning in 2024, Part D plans were required to eliminate member cost-sharing in the catastrophic phase of the benefit, and beginning in 2025, the coverage gap phase was eliminated. Part D plans must now also implement a cap on member out-of-pocket spending of $2,000. These changes have the potential to increase the financial responsibility of Part D plan sponsors. Furthermore, beginning in 2025, Part D plans must offer enrollees the option to pay out-of-pocket prescription drug costs in the form of capped monthly payments instead of all at once at the pharmacy. This may increase administrative burdens for plans by requiring new payment tracking systems and risk management strategies. These changes may significantly alter the plans that we offer and may adversely affect our business, results of operations and financial condition.