Hims & Hers Health (HIMS) Risk Analysis

Our Ohio facility, our Arizona facilities, MedisourceRx, and from time to time certain third party logistics providers collectively hold a significant portion of our inventory. From time to time, we order inventory with sufficient lead time in order to ensure our ability to fulfill anticipated customer demand for supply chain, seasonality, or other reasons. We store this inventory at some or all of the previously mentioned facilities, and we may have a significant level of inventory in storage during certain quarters. A natural disaster, fire, power interruption, work stoppage, or other calamity at any of these facilities would significantly disrupt our ability to deliver our products and operate our business, particularly if we had a significant level of inventory stored in a damaged or unusable facility. If a material amount of any facility, machinery, or inventory were damaged or unusable for any reason, we would be unable to meet our obligations to customers and wholesale partners, which could materially adversely affect our business, financial condition, and results of operations.

We provide customers with access to non-prescription products, telehealth-based consultations with Providers, and certain prescription medications that may be prescribed by Providers in connection with telehealth consultations. In order for our business to continue growing, we need to maintain and continue expanding the scope of products and services we offer our customers, including telehealth consultations, prescription medication for additional conditions, and non-prescription health and wellness products and services. The introduction of new products, services, or technologies, including disruptive technologies by market participants, including us, can quickly make our products and services obsolete and unmarketable. Additionally, changes in laws and regulations (or enforcement thereof) could impact the usefulness of our platform or offerings and could necessitate changes or modifications to our platform or offerings to accommodate such changes. Alternatively, the introduction of new products, services or technologies could expose us to new or increased regulatory risks, including with respect to healthcare, privacy, or consumer protection laws, either through the provision of such products, services, or technologies, or by virtue of the new or expanded personal and health information we acquire from customers to support such offerings. We invest substantial resources in researching and developing new offerings and enhancing our solutions by incorporating additional features, improving functionality, and adding other improvements to meet our customers' evolving demands. The success of any enhancements or improvements to our services or any new offerings depends on a number of factors, including timely completion, competitive pricing, adequate quality testing, integration with new and existing technologies, regulatory compliance, and overall market acceptance. We may not succeed in developing, marketing, and delivering on a timely and cost-effective basis enhancements or improvements to our products or services or any new offerings that respond to continued changes in market demands or new customer requirements, and any enhancements or improvements to our products or services or any new offerings may not achieve market acceptance. Since developing enhancements to our products and services and the launch of new offerings can be complex, the timetable for the release of new offerings and enhancements to our existing products and services is difficult to predict, and we may not launch new offerings and updates as rapidly as our current or prospective customers require or expect. For example, in May 2024, we began providing access to compounded injectable semaglutide, a glucagon-like peptide-1 receptor agonist (GLP-1), on our platform as part of our weight loss specialty. GLP-1s are subject to elevated consumer demand, related global drug shortages, federal and state-specific regulatory limitations, limited manufacturing capacity and potential supply chain disruptions, all of which could affect our ability to provide continuing access to such GLP-1s. Increasing consumer demand could further increase prices and/or constrain supply, and an evolving regulatory landscape could impact our ability to continue offering access to such products. For example, while we do not provide access to compounded tirzepatide, the U.S. Food and Drug Administration (the "FDA") removed tirzepatide from its shortage list in October 2024, and then reconsidered that decision less than two weeks later. Additionally, all doses of semaglutide branded under Ozempic and Wegovy became listed as available on the FDA's shortage list as of October 30, 2024. As of November 4, 2024, the FDA considers semaglutide injection to continue to be in shortage, but it may determine to resolve the shortage in the future, which could constrain our ability to continue providing access to compounded semaglutide on our platform once our current inventory has been sold. While we do not provide access to compounded tirzepatide, the regulatory landscape applicable to GLP-1s continues to rapidly evolve. If regulatory or market conditions change, or we are unable to meet our customers' demand for our offerings, or if they do not otherwise meet customer expectations, our brand, reputation and results of operations could be adversely affected. Any new offerings or product or service enhancements that we develop may not be introduced in a timely or cost-effective manner, may contain errors or defects, or may not achieve the market acceptance necessary to generate sufficient revenue. In addition, any failure, or perceived failure, by us to comply with any federal, state, or local laws or regulations with respect to any new offering or product or service enhancement could adversely affect our reputation, brand, and business, and may result in claims, proceedings, or actions against us by governmental entities, consumers, suppliers, or others or other liabilities that may require us to change our operations and/or cease offering certain products or services. Moreover, even if we introduce new offerings, we may experience a decline in revenue of our existing offerings that is not offset by revenue from the new offerings. In addition, we may lose existing customers who choose a competitor's products and services. This could result in a temporary or permanent revenue shortfall and adversely affect our business.

In the ordinary course of our business, we collect, store, use and disclose sensitive data, including health information and other types of PII. We also process and store, and use additional third parties to process and store, confidential and proprietary information such as intellectual property and other proprietary business information, including that of our customers, the Providers on our platform, and partners. Our customer information is encrypted but not always de-identified. We manage and maintain our platform and data utilizing a combination of managed data center systems and cloud-based computing center systems. We are highly dependent on information technology networks and systems, including the internet, to securely process, transmit, and store this critical information. Security breaches of this infrastructure, including physical or electronic break-ins, computer viruses, attacks by hackers and similar breaches, and employee or contractor error, negligence or malfeasance, can create system disruptions, shutdowns, or unauthorized disclosure or modifications of information, causing sensitive, confidential or proprietary information to be accessed or acquired without authorization, or to become publicly available. We utilize vendors and other third-party service providers for important aspects of the collection, storage, transmission, and verification of customer information and other confidential, and sensitive information, and therefore rely on third parties to manage functions that have material cybersecurity risks. Because of the nature of the sensitive, confidential, and proprietary information that we and our service providers collect, store, transmit, and otherwise process, the security of our and our vendors' technology platforms and other aspects of our services, including those provided or facilitated by third-party service providers, are important to our operations and business strategy. We take certain administrative, legal, physical, and technological safeguards to address these risks, such as requiring outsourcing subcontractors who handle customer, user, and patient information for us to enter into agreements that contractually obligate those subcontractors to use reasonable efforts to safeguard sensitive, confidential, and proprietary information. Measures taken to protect our systems, those of our vendors or other third-party service providers, or sensitive, confidential, and proprietary information that we or such third-party service providers process or maintain, may not adequately protect us from the risks associated with the collection, storage, and transmission of such information. Certain of our vendors have experienced security breaches or other disruptions in the past, and we expect that other vendors or third-party service providers will experience such breaches or other disruptions in the future. Although we take steps to help protect sensitive, confidential, and proprietary information from unauthorized access or disclosure, our information technology and infrastructure may be vulnerable to attacks by hackers or viruses, failures or breaches due to third-party action, employee negligence or error, malfeasance, or other disruptions. Increased global IT security threats and more sophisticated and targeted computer crime pose a risk to the security of our systems and networks and the confidentiality, availability, and integrity of our data. There have been several recent, highly publicized cases in which organizations of various types and sizes have reported the unauthorized disclosure of customer or other confidential information, as well as cyberattacks involving the dissemination, theft and destruction of corporate information, intellectual property, cash, or other valuable assets. There have also been several highly publicized cases in which hackers have requested "ransom" payments in exchange for not disclosing customer or other confidential information or for not disabling the target company's computer or other systems. A security breach or privacy violation that leads to disclosure or unauthorized use or modification of, or that prevents access to or otherwise impacts the confidentiality, security, or integrity of, sensitive, confidential, or proprietary information we or our vendors or other third-party service providers maintain or otherwise process, could harm our reputation, compel us to comply with breach notification laws, and cause us to incur significant costs for remediation, fines, penalties, notification to individuals and governmental authorities, implementation of measures intended to repair or replace systems or technology, and to prevent future occurrences, potential increases in insurance premiums, and forensic security audits or investigations. As a result, a security breach or privacy violation could result in material increased costs or loss of revenue. If we are unable to prevent such security breaches or privacy violations or implement satisfactory remedial measures, or if it is perceived that we have been unable to do so, our operations could be disrupted, we may be unable to provide access to our platform, and could suffer a loss of customers or Providers or a decrease in the use of our platform, and we may suffer loss of reputation, adverse impacts on customer, Provider, and partner confidence, financial loss, governmental investigations or other actions, regulatory or contractual penalties, and other claims and liability. In addition, security breaches and other inappropriate access to, or acquisition or processing of, information can be difficult to detect, and any delay in identifying such incidents or in providing any notification of such incidents may lead to increased harm. Any such breach or interruption of our systems or any of our third-party information technology partners, could compromise our networks or data security processes and sensitive, confidential, or proprietary information could be inaccessible or could be accessed by unauthorized parties, publicly disclosed, lost, or stolen. Any such interruption in access, improper access, disclosure or other loss of such information could result in legal claims or proceedings, liability under laws and regulations that protect the privacy of customer information or other personal information, and regulatory penalties. Unauthorized access, loss or dissemination could also disrupt our operations, including our ability to operate our platform and perform our services, provide customer assistance services, conduct research and development activities, collect, process, and prepare company financial information, provide information about our current and future offerings, and engage in other user and clinician education and outreach efforts. Any such breach or disruption could also result in the compromise of our trade secrets and other proprietary information, which could adversely affect our business and competitive position. We may also not be fully indemnified for the costs we may incur as a result of any such breach at one of our vendors or other third-party service providers. While we maintain insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational damage that could result from a security incident. In addition, cyber liability insurance is expensive and insurance premiums may increase significantly and/or we may have trouble obtaining adequate cyber insurance in the future based upon increasing global IT security threats. Any data privacy or security claims made against us or relating to our business that are not fully covered by insurance could be costly to defend against, result in substantial damage awards against us, and divert the attention of our management, which could have a material adverse effect on our business, financial condition, and results of operations.

In recent years, the United States and other significant markets have experienced cyclical downturns and worldwide economic conditions remain uncertain, particularly as a result of inflation and related market and macroeconomic responses the ongoing conflict arising out of the Russian invasion of Ukraine, and the hostilities and conflict in the Middle East. Economic uncertainty and associated macroeconomic conditions, including geopolitical tensions, inflation, trade and supply chain issues and the availability and cost of credit in the United States and other countries have contributed to increased market volatility or market declines, make it extremely difficult for our partners, suppliers, and us to accurately forecast and plan future business activities, could cause our customers to slow spending on our offerings, and could limit the ability of our Partner Pharmacies, MedisourceRx and our Affiliated Pharmacies to purchase sufficient quantities of pharmaceutical products from suppliers, which could adversely affect our ability to fulfill customer orders and attract new Providers. A significant downturn in the domestic or global economy may cause our customers to pause, delay, or cancel spending on our platform or seek to lower their costs by exploring alternative providers or our competitors. To the extent purchases of our offerings are perceived by customers and potential customers as discretionary, our revenue may be disproportionately affected by delays or reductions in general health and wellness spending. Also, competitors may respond to challenging market conditions by lowering prices and attempting to lure away our customers. We cannot predict the timing, strength, or duration of any economic slowdown or recession, or any subsequent recovery generally, or any industry in particular. If the conditions in the general economy and the markets in which we operate worsen from present levels, our business, financial condition, and results of operations could be materially adversely affected.

Expanding our business to attract customers, Providers, and suppliers in countries other than the United States is an element of our long-term business strategy. An important part of targeting international markets is increasing our brand awareness and establishing relationships with partners internationally. Conducting business internationally involves a number of risks, including: - uncertain legal and regulatory requirements applicable to telehealth and prescription medication;- our inability to replicate our domestic business structure consistently outside of the United States, especially as it relates to our contractual arrangement with affiliated professional entities;- multiple, conflicting and changing laws and regulations such as tax laws, privacy and data protection laws and regulations including the use of big data analytics and artificial intelligence, export and import restrictions, employment laws, regulatory requirements and other governmental approvals, permits and licenses;- obtaining regulatory approvals or clearances where required for the sale of our offerings, products, and services in various countries;- requirements to maintain data and the processing of that data on servers located within the United States or in other countries;- protecting and enforcing our intellectual property rights;- logistics and regulations associated with prescribing medicine online and engaging with Partner Pharmacies to ship the prescribed medication;- natural disasters, political and economic instability, including wars, terrorism, social or political unrest, including civil unrest, protests, and other public demonstrations, outbreaks of disease, pandemics or epidemics, boycotts, curtailment of trade, and other market restrictions; and - regulatory and compliance risks that relate to maintaining accurate information and control over activities subject to regulation under the U.S. Foreign Corrupt Practices Act (the "FCPA"), and comparable laws and regulations in other countries. Our ability to continue to expand our business and to attract talented employees, customers, Providers, partners, and suppliers in various international markets will require considerable management attention and resources and is subject to the particular challenges of supporting a rapidly growing business in an environment of multiple languages, cultures, customs, legal systems, alternative dispute resolution systems, regulatory systems, and commercial infrastructures. Entering new international markets will be expensive, our ability to successfully gain market acceptance in any particular market is uncertain, and the distraction of our senior management team to focus on international expansion could harm our business, financial condition, and results of operations.