In the ordinary course of our business, we collect and store sensitive data, including personal information, credit card and other financial information, intellectual property and proprietary business information owned or controlled by us or other parties such as customers and payers. We also communicate sensitive data, including patient data, through phone, Internet, facsimile, multiple third-party vendors and their subcontractors. We depend on information technology ("IT") systems for significant elements of our operations, including our laboratory information management system and our ExactNexusTM technology platform. Our IT systems support a variety of functions, including laboratory operations, test validation, sample tracking, quality control, customer service support, billing and reimbursement, research and development activities, scientific and medical curation and general administrative activities. We face a number of risks related to protecting this critical information, including loss of access, inappropriate use or disclosure, unauthorized access, inappropriate modification and our being unable to adequately monitor, audit or modify our controls over such critical information. This risk extends to the third-party vendors and subcontractors we use to manage this sensitive data or otherwise process it on our behalf as well as other third parties we share information with like hospitals and health systems.
IT systems are vulnerable to damage from a variety of sources, including telecommunications or network failures, malicious human acts from criminal hackers, hacktivists, state-sponsored intrusions, industrial espionage and employee malfeasance, breaches due to employee error and natural disasters. Cyberattacks are becoming more sophisticated and frequent, and in some cases have caused significant harm at other companies. While we devote significant resources to protect the security of our IT systems, including the personal data and other information that we receive and store, there can be no assurance that any security measures will be effective against current or future security threats. We have experienced and expect to continue to experience attempted cyberattacks of our IT systems and networks. To date, none of these attempted cyberattacks has had a material effect on our operations or financial condition. However, any such breach or interruption could compromise our networks and the information stored therein could be accessed by unauthorized parties, publicly disclosed, lost or stolen. Despite the precautionary measures we have taken to prevent unanticipated problems that could affect our IT systems, unauthorized access, loss or disclosure could also disrupt our operations, including our ability to:
- process tests, provide test results, bill payers or patients;- process claims and appeals;- provide customer assistance services;- conduct research and development activities;- collect, process and prepare company financial information;- provide information about our tests and other patient and healthcare provider education and outreach efforts through our website; and - manage the administrative aspects of our business.
Any such access, disclosure or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, such as the Health Insurance Portability and Accountability Act of 1996, similar U.S. state data protection regulations, the GDPR, and other regulations, the breach of which could result in significant penalties and damage to our reputation. In addition, disruptions to our business occurring as a result of system updates and enhancements, such as our efforts to move our precision oncology tests to our technology and services platform, could have a material adverse effect on our financial condition and operating results. There can be no assurance that our process of improving existing systems, developing new systems to support our expanding operations, protecting confidential patient information, and improving service levels will not be delayed or will not give rise to additional systems issues in the future. Although we carry insurance for this purpose, failure to adequately protect and maintain the integrity of our information systems and data, including as a result of a security breach, may result in significant losses that exceed our insurance coverage limits and have a material adverse effect on our financial position, results of operations, and cash flows.