Community Health (CYH) Risk Analysis

We are a party to various legal, regulatory and governmental proceedings and other related matters, including government investigations. In addition, we are and may become subject to other loss contingencies, both known and unknown, which may relate to past, present and future facts, events, circumstances and occurrences. Should an unfavorable outcome occur in connection with our current or potential future legal, regulatory or governmental proceedings or other loss contingencies, or if we become subject to any such loss contingencies in the future, there could be an adverse impact on our financial position, results of operations and liquidity. In particular, government investigations, as well as qui tam lawsuits, may lead to significant fines, penalties, damages payments or other sanctions, including exclusion from government healthcare programs. Settlements of lawsuits involving Medicare and Medicaid issues routinely require both monetary payments and corporate integrity agreements, each of which could have an adverse effect on our business, financial condition, results of operations and/or cash flows.

We are subject to tax in the United States as well as those states in which we do business. Changes in tax laws, including increased rates, or interpretations of tax laws by taxing authorities or other standard setting bodies, could increase our tax obligations and materially and adversely impact our results of operations.

The data protection landscape is rapidly evolving. We are subject to numerous state and federal laws, requirements and regulations governing the collection, use, storage, processing, disclosure, retention, privacy and security of health-related and other regulated, sensitive or confidential information and may become subject to additional legal requirements of this nature in the future. For example, the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, each as amended, and the privacy and security regulations that implement these laws (collectively, "HIPAA") establish national privacy and security standards for the protection of protected health information, or PHI, by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services. HIPAA regulates permissible uses and disclosures of PHI and requires covered entities and business associates to adopt administrative, physical and technical safeguards to protect such information. Covered entities must notify affected individuals without unreasonable delay of breaches of unsecured PHI, the HHS Office for Civil Rights, or OCR, which enforces HIPAA, and, in the case of larger breaches, the media. Failure to comply with the HIPAA privacy and security standards can result in civil monetary penalties, resolution agreements, monitoring agreements, and criminal penalties including fines and/or imprisonment. A covered entity may be subject to penalties as a result of a business associate violating HIPAA. In addition, state attorneys general may enforce the HIPAA privacy and security regulations in response to violations that threaten the privacy of state residents. Although HIPAA does not create a private right of action allowing individuals to sue in civil court for violations, the laws and regulations have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. There are numerous other laws and legislative and regulatory initiatives at the federal and state levels governing the confidentiality, privacy, availability, integrity and security of PHI and other types of personal information. Certain state laws may be more stringent, broader in scope or offer greater individual rights with respect to PHI than HIPAA, state laws may differ from each other, and the interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, all of which may complicate compliance efforts. Where state laws are more protective than HIPAA or apply more broadly, we have to comply with their stricter provisions. Not only do some of these state laws impose fines and other penalties upon violators, but some may afford private rights of action to individuals who believe their personal information has been misused. We may not remain in compliance with diverse privacy and security requirements in all of the jurisdictions in which we do business, particularly to the extent they are inconsistent, rapidly changing and/or ambiguous and uncertain as to their applicability to our business practices. In addition, we are subject to consumer protection laws and regulations in connection with our business activities. For example, the FTC uses its consumer protection authority to initiate enforcement actions in response to data breaches. Failing to take appropriate steps to keep consumers' personal information secure may violate the Federal Trade Commission Act, or the FTCA. For information that is not subject to HIPAA and deemed to be "personal health records," the FTC may also impose penalties for violations of the Health Breach Notification Rule, or HBNR, to the extent we are considered a "personal health record-related entity" or "third party service provider." The FTC has taken several enforcement actions under HBNR and indicated that the FTC will continue to protect consumer privacy through greater use of the agency's enforcement authorities. As a result, we expect scrutiny by federal and state regulators and others of our collection, use and disclosure of health information. Additionally, federal and state consumer protection laws are increasingly being applied by FTC and states' attorneys general to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. Our marketing and patient engagement activities are subject to communications laws such as the Telephone Consumer Protection Act, or the TCPA, and the Controlling the Assault of Non-Solicited Pornography and Marketing Act, or CAN-SPAM. Determination by a court or regulatory agency that our calling, texting or email practices violate the TCPA or CAN-SPAM could subject us to civil penalties and could require us to change some portions of our business. Even an unsuccessful challenge by patients or regulatory authorities of our activities could result in adverse publicity and could require a costly response from and defense by us. Other federal and state laws that restrict the use and protect the privacy and security of personally identifiable information may not be preempted by HIPAA, may apply to new categories of health information, such as "consumer health data," and may be subject to varying interpretations by the courts and government agencies. These varying interpretations can create complex compliance issues for us and our partners and potentially expose us to additional expense, adverse publicity, and liability, any of which could adversely affect our business. Although we strive to comply with applicable laws and regulations, the requirements related to the collection, use, storage, processing, disclosure, retention, privacy and security of health and other regulated, sensitive or confidential information are evolving rapidly and may be interpreted or applied in an inconsistent manner across jurisdictions. The cost of compliance with these laws and regulations is high and is likely to increase in the future. Any failure or perceived failure by us to comply with applicable data privacy and security laws or regulations, our internal policies and procedures or our contracts governing our processing of health and other regulated, sensitive or confidential information, or to otherwise adequately address privacy and security concerns, could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our business, operations, or financial results.

The healthcare industry is highly competitive among hospitals, other healthcare providers and other industry participants, for patients, affiliations with physicians and other personnel and acquisitions. Generally, other hospitals and healthcare facilities, including specialized care providers such as outpatient surgery, orthopedic, oncology and diagnostic centers, in our service areas provide services similar to those we offer. Many individuals are seeking a broader range of services at outpatient facilities as a result of the growing availability of outpatient facilities, the increase in payor reimbursement policies that restrict inpatient coverage and the increase in services that can be provided on an outpatient basis, among other factors. Changes in licensure or other regulations, recognition of new provider types or payment models and industry consolidation could negatively impact our competitive position. For example, in states with certificate of need or similar prior approval requirements, removal of these requirements could remove barriers to entry and increase competition in our service areas. Our hospitals, our competitors, and other healthcare industry participants are increasingly implementing physician alignment strategies, such as acquiring physician practice groups, employing physicians and participating in ACOs or other clinical integration models. Increasing consolidation within the payor industry, vertical integration efforts involving payors and healthcare providers and cost-reduction strategies by payors, large employer groups and their affiliates may impact our ability to contract with payors on favorable terms and participate in favorable payment tiers or provider networks and otherwise may affect our competitive position. Legislative and regulatory initiatives, such as changes in Texas law that eliminated restrictions on tiered networks and steering patients to particular providers, may accelerate or otherwise impact these trends. The majority of our hospitals are located in generally larger non-urban service areas in which we believe we are the primary, if not the sole, provider of general acute care health services. As a result, the most significant competition for providers of general acute care services are hospitals outside of our primary service areas, typically hospitals in larger urban areas that provide more complex services. Patients in our primary service areas may travel to other hospitals because of physician referrals, payor networks that exclude our providers or the need for services we do not offer, among other reasons. Patients who receive services from these other hospitals may subsequently shift their preferences to those hospitals for the services we provide. Our hospitals that are located in urban service areas may face competition from hospitals that are more established than our hospitals. Some of our competitors offer services, including extensive medical research and medical education programs, which are not offered by our facilities. In addition, in certain markets where we operate, there are large teaching hospitals that provide highly specialized facilities, equipment and services that may not be available at our hospitals. At December 31, 2024, 47 of our hospitals competed with one or more non-affiliated hospitals in their respective primary service areas. In most markets in which we are not the sole provider of general acute care health services, our primary competitor is a municipal or not-for-profit hospital. These hospitals are owned by tax-supported governmental agencies or not-for-profit entities supported by endowments and charitable contributions. These hospitals are exempt from sales, property and income taxes. Such exemptions and support are not available to our hospitals and may provide the tax-supported or not-for-profit entities an advantage in funding general and capital expenditures and offering services more specialized than those available at our hospitals. If our competitors are better able to attract patients with these offerings, we may experience an overall decline in patient volume. Trends toward transparency and value-based purchasing may have an impact on our competitive position, ability to obtain and maintain favorable contract terms, and patient volumes in ways that are difficult to predict. CMS websites make available to the public certain data that hospitals and various other types of Medicare-certified providers submit in connection with Medicare reimbursement claims, including performance data related to quality measures and patient satisfaction surveys. If any of our hospitals or other provider types achieve poor results (or results that are lower than our competitors) on the quality measures or on patient satisfaction surveys, we may attract fewer patients. Further, every hospital must establish and update annually a public, online listing of the hospital's standard charges for all items and services, including discounted cash prices and payor-specific charges, and must also publish a consumer-friendly list of standard charges for certain "shoppable" services or maintain an online price estimator tool for the shoppable services. HHS also requires health insurers to publish online charges negotiated with providers for healthcare services, and health insurers must provide online price comparison tools to help individuals get personalized cost estimates for all covered items and services. The No Surprises Act creates additional price transparency requirements that may impact our competitive position, including requiring providers to send uninsured or self-pay patients and health plans of insured patients a good faith estimate of the expected charges and diagnostic codes prior to the scheduled date of the service or item or upon request. Until HHS issues additional regulations, HHS is deferring enforcement of portions of the good faith estimate requirements. It is unclear how price transparency requirements and similar initiatives will affect consumer behavior, our relationships with payors, or our ability to set and negotiate prices, but our competitive position could be negatively affected if our standard charges are higher or are perceived to be higher than the charges of our competitors. We expect these competitive trends to continue. We pursue various strategies intended to ensure our hospitals and other facilities are competitive, including by enhancing outpatient service offerings, offering competitive pricing to group purchasers of healthcare services, upgrading facilities and equipment, exploring new and expanded services and programs and engaging quality physicians and other skilled clinical personnel. However, if we are unable to compete effectively with other hospitals and other healthcare providers and patients seek healthcare services at providers other than our hospitals and affiliated businesses, we could experience declines in patient volumes, which could adversely affect our business.

We license certain intellectual property, including technologies and software from third parties, that is important to our business, and in the future, we may enter into additional agreements that provide us with licenses to valuable intellectual property or technology. If we fail to comply with any of the obligations under our license agreements, we may be required to pay damages and the licensor may have the right to terminate the license. Termination by the licensor would cause us to lose valuable rights, and could prevent us from selling our solutions and services, or adversely impact our ability to commercialize future solutions and services. Our business would suffer if any current or future licenses terminate, if the licensors fail to abide by the terms of the license agreement, if the licensors fail to enforce licensed intellectual property against infringing third parties, if the licensed intellectual property are found to be invalid or unenforceable, or if we are unable to enter into necessary license agreements on acceptable terms or at all. Any of the foregoing could have an adverse effect on our business, financial condition or results of operations.

We rely extensively on information technology systems to manage clinical and financial data, to communicate with our patients, payors, vendors and other third parties, to summarize and analyze operating results, and for a number of other critical operational functions. We have made significant investments in technology to protect our systems, equipment and medical devices and information from cybersecurity risks. These risks include incidents involving ransomware and other malicious software, phishing, advanced persistent threats, social engineering, credential stuffing or distributed denial-of-service attacks, or other attempts by third parties to access, acquire, use, disclose, misappropriate or manipulate our information or disrupt our operations. Although we monitor and routinely test our security systems and processes and have redundancies as well as other proactive measures designed to protect the integrity, security and availability of the systems and data we manage and control, there can be no assurance that we, or our third-party vendors and providers, will not be subject to security breaches and other cybersecurity incidents. In this regard, we are frequently the target of cybersecurity attacks and other threats that could have a security impact, and we have experienced cybersecurity incidents from time to time. In particular, on February 13, 2023, we disclosed a security incident in which a third-party vendor who provides a secure file transfer software platform utilized by our subsidiaries experienced a security breach whereby PHI and personal information of certain patients of our healthcare facilities were exposed to an unauthorized third party. The current cyber threat environment presents increased risk for all companies, particularly companies in the healthcare industry, as the volume and intensity of cyber-attacks on hospitals and health systems has continued to increase, and we expect to experience an increase in cybersecurity threats in the future. Moreover, advanced new attacks against our information systems and devices or those of our third-party vendors create risk of cybersecurity incidents, including ransomware, malware and phishing incidents. The preventive actions we take to reduce the risk of such incidents and protect our systems and data may not be sufficient in the future. In addition, cybersecurity threats continue to evolve. Additionally, the rapid evaluation and increased adoption of AI technologies may heighten our cybersecurity risks by making cyber-attacks more difficult to detect, contain and mitigate, particularly with detection devices that use voice recognition or authentication. Because the techniques used in cyber-attacks change frequently and may not be immediately recognized, we may experience security or data breaches that remain undetected for an extended time. We may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities, and we still might not be able to anticipate or prevent certain attack methods. Further, cybersecurity threats, including those that result in a data or security breach, could impact the integrity, availability or security of PHI and other data subject to privacy laws and regulations, disrupt our information technology systems, equipment, medical devices or business and threaten the access and utilization of critical information technology and data. Our ability to provide various healthcare services could be affected, particularly with respect to telehealth services. In addition, medical devices that connect to hospital networks or the internet may be vulnerable to cybersecurity incidents, which may impact patient safety. We may be at increased risk because we outsource certain services or functions to, or have systems that interface with, third parties. Some of these third parties' information systems are also subject to the risks outlined above and may store or have access to our data and may not have effective controls, processes or practices to protect our information from attack, damage or unauthorized access, acquisition, use or disclosure. A breach or attack affecting any of these third parties could harm our business. In addition, the definitive agreements we enter into in connection with the divestiture of hospitals routinely obligate us to provide transition services to the buyer, including access to our legacy information systems, for a defined transition period. By providing access to our information systems to non-employees, we may be exposed to cyber-attacks, ransomware or security or data breaches that originate outside of our internal processes and practices designed to prevent such threats from occurring. Further, consumer confidence in the integrity, availability and confidentiality of information systems and information, including patient information and operations data, in the healthcare industry generally could be impacted to the extent there are successful cyber-attacks at other healthcare services companies, which could have a material adverse effect on our business, operations or financial results. As cyber threats continue to evolve and increase in volume and sophistication, we may be required to expend significant additional resources to continue to modify or enhance our protective measures. We may also be required to incur additional expenses to comply with evolving federal and state requirements related to cybersecurity, including those focused on healthcare providers. Despite our efforts to minimize our exposure to cyber-attacks, there can be no assurance that our controls and procedures in place will be sufficient or timely. If we or our information, systems are subject to cyber-attacks or security or data breaches in the future, or the information systems of third parties with whom we conduct business are subject to cyber-attacks or security or data breaches in the future in a manner which impacts us or our information systems, this could result in harm to patients; business and operational interruptions and delays; the loss, misappropriation, corruption or unauthorized access, acquisition, use or disclosure of data or inability to access data; litigation and potential liability under privacy, security, breach notification and consumer protection laws or other applicable laws, including HIPAA; reputational damage; federal and state governmental inquiries, civil monetary penalties, settlement agreements, corrective action plans and monitoring requirements, any of which could have an adverse effect on our business, financial condition or results of operations. Moreover, any significant cybersecurity event may require us to devote significant management time and resources to address and respond to any such event, interfere with the pursuit of other important business strategies and initiatives, and cause us to incur additional expenditures, which could be material, including to investigate such events, remedy cybersecurity problems, recover lost data, prevent future compromises and adapt systems and practices in response to such events. Further, there is no assurance that any remedial actions will meaningfully limit the success of future attempts to breach our information systems, particularly because malicious actors are increasingly sophisticated and utilize tools and techniques specifically designed to circumvent security measures, avoid detection and obfuscate forensic evidence, which means we may be unable to identify, investigate or remediate effectively or in a timely manner. Additionally, we are subject to an increasing number of cybersecurity reporting obligations in different jurisdictions that vary in their scope and application, which may create conflicting reporting obligations and inhibit our ability to quickly provide complete and reliable information to patients, business relations, and regulators, as well as to the public. Moreover, while we have insurance coverage in place designed to address certain aspects of cybersecurity risks, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise.

As a provider of healthcare services, we are subject to the health, economic and other effects of public health conditions, and were significantly impacted by the public health and economic effects of the COVID-19 pandemic. If a future pandemic, epidemic, outbreak of an infectious disease or other public health crisis were to occur in a market in which we operate or otherwise affects our markets, our business and operations could be adversely affected. Any such crisis could diminish the public trust in healthcare facilities, especially hospitals that fail to accurately or timely diagnose, or that are treating (or have treated) patients affected by, contagious diseases. If any of our facilities are involved, or perceived as being involved, in treating patients for such a contagious disease, other patients might cancel elective procedures or fail to seek needed care at our facilities. Patient volumes may decline or volumes of uninsured and underinsured patients may increase, depending on the economic circumstances surrounding the pandemic, epidemic, or outbreak. Further, a pandemic, epidemic, or outbreak might adversely impact our business by causing a temporary shutdown or diversion of patients, by causing disruption or delays in supply chains for materials and products or by causing staffing shortages in our facilities. Although we have contingency plans in place, including infection control and disaster plans, the potential impact of, as well as the public's and government's response to, any such future pandemic, epidemic or outbreak of an infectious disease with respect to our markets or our facilities is difficult to predict and could adversely impact our business and operations.