Inspire Medical Systems (INSP) Risk Analysis

We are, and may in the future become, party to litigation, regulatory proceedings or other disputes. In general, claims made by or against us in disputes and other legal or regulatory proceedings can be expensive and time-consuming to bring or defend against, requiring us to expend significant resources and divert the efforts and attention of our management and other personnel from our business operations. These potential claims may include but are not limited to personal injury and class action lawsuits, intellectual property claims and regulatory investigations relating to the advertising and promotional claims about our products and services and employee claims against us based on, among other things, discrimination, harassment or wrongful termination. Any one of these claims, even those without merit, may divert our financial and management resources that would otherwise be used to benefit the future performance of our operations. Any adverse determination against us in these proceedings, or even the allegations contained in the claims, regardless of whether they are ultimately found to be without merit, may also result in settlements, injunctions or damages that could have a material adverse effect on our business, financial condition and results of operations. On January 17, 2025, we received a civil investigative demand ("CID") from the Department of Justice U.S. Attorney's Office for the District of Minnesota pursuant to the False Claims Act in the course of the government's investigation concerning allegations of false claims, including false claims arising from violations of the Anti-Kickback Statute, submitted to government payors in connection with our implant. The CID requests information relating to the marketing, promotion and reimbursement practices associated with our products. We are cooperating with the investigation. No assurance can be given as to the timing or outcome of the government's investigation. Additionally, securities class action litigations are often brought against companies following periods of volatility in the overall market and in the market price of a company's securities. On December 22, 2023, we and certain of our executive officers were named in a putative class action lawsuit. The plaintiff filed an amended complaint on April 19, 2024, which alleges violations of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, as amended, and Rule 10b-5, which alleged violations relate to certain prior disclosures of Inspire about the effectiveness of a program intended to help certain customers establish independence in seeking prior authorization from payors for our Inspire therapy. The plaintiff seeks to represent a class of shareholders who purchased or otherwise acquired Inspire common stock between May 3, 2023 and November 7, 2023. The plaintiff seeks damages and other relief, including attorneys' fees and costs. The defendants are vigorously defending this lawsuit. On June 28, 2024, the defendants moved to dismiss the amended complaint in its entirety. The motion was argued in November 2024. On July 16, 2024, a stockholder derivative lawsuit was filed in the United States District Court for the District of Minnesota, purportedly on behalf of Inspire against certain of our present and former officers and directors and Inspire (as a nominal defendant), captioned Lawrence Hollin v. Herbert, et al., Court File No. 0:24-cv-02716 (the "Hollin Lawsuit"). The Hollin Lawsuit arose out of the same subject matter as the City of Hollywood Lawsuit and alleged the following claims under common law and the Exchange Act: (1) breach of fiduciary duty; (2) unjust enrichment; (3) waste of corporate assets; and (4) as against the officer defendants, contribution under Sections 10(b) and 21D of the Exchange Act. The lawsuit sought unspecified damages. On September 5, 2024, counsel for Mr. Hollin filed a motion for voluntary dismissal of the Hollin Lawsuit, which motion remains pending. For additional information, see Note 11, Commitments and Contingencies to the consolidated financial statements included elsewhere in this Form 10-K. These lawsuits and any future lawsuits to which we may become a party are subject to inherent uncertainties and could result in very substantial costs, divert our management's attention and resources and materially harm our business, operating results and financial condition.

The ability of the FDA, foreign regulatory authorities and notified bodies to review and approve or certify new products can be affected by a variety of factors, including government budget and funding levels, ability to hire and retain key personnel and accept the payment of user fees, and statutory, regulatory, and policy changes. Average review times at the agency have fluctuated in recent years as a result. In addition, government funding of other government agencies that fund research and development activities is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA and other agencies or notified bodies may also slow the time necessary for new medical devices and modifications to cleared or approved medical devices to be reviewed and/or cleared, approved or certified by necessary government agencies or notified bodies, which would adversely affect our business. For example, in recent years, the U.S. government has shut down several times and certain regulatory agencies, such as the FDA, have had to furlough critical FDA employees and stop critical activities. If a prolonged government shutdown occurs, it could significantly impact the ability of the FDA to timely review and process our regulatory submissions, which could have a material adverse effect on our business. Similarly, a prolonged government shutdown could prevent the timely review of our patent applications by the United States Patent and Trademark Office ("USPTO"), which could delay the issuance of any U.S. patents to which we might otherwise be entitled. Further, in our operations as a public company, future government shutdowns could impact our ability to access the public markets and obtain necessary capital in order to properly fund our business. In the EU, notified bodies must be officially designated to certify products and services in accordance with the EU Medical Devices Regulation. Their designation process, which is significantly stricter under the new Regulation, has experienced considerable delays in recent years. Despite a recent increase in designations, the current number of notified bodies designated under the new Regulation remains significantly lower than the number of notified bodies designated under the previous regime. The current designated notified bodies are therefore facing a backlog of requests as a consequence of which review times have lengthened. This situation may impact the way we are conducting our business in the EU and the EEA and the ability of our notified body to timely review and process our regulatory submissions and perform its audits.

In the conduct of our business, we process health-related and other personal information. The U.S. federal government, various states, and foreign governments have adopted or proposed laws, regulations, guidelines and rules for the collection, distribution, use and storage of personal information of individuals. For example, HIPAA,as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented thereunder (collectively "HIPAA"), imposes privacy, security and breach notification obligations on certain healthcare providers, health plans, and healthcare clearinghouses, known as covered entities, as well as their business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities, and their covered subcontractors. HIPAA requires covered entities and business associates to develop and maintain policies with respect to the protection of, use and disclosure of protected health information ("PHI"), including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a breach of unsecured PHI. Entities that are found to be in violation of HIPAA as the result of a breach of unsecured PHI, a complaint about privacy practices or an audit by the U.S. Department of Health and Human Services ("HHS"), may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations. HIPAA also authorizes state Attorneys General to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Further, the Federal Trade Commission (the "FTC") and many state Attorneys General continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. For example, according to the FTC, failing to take appropriate steps to keep consumers' personal information secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. We may also be subject to U.S. federal rules, regulations, and guidance concerning data security for medical devices, including guidance from the FDA. State privacy and security laws which govern the privacy, processing and protection of health-related and other personal information vary from state to state and, in some cases, can impose more restrictive requirements than U.S. federal law. Where state laws are more protective, we must comply with the stricter provisions. In addition to fines and penalties that may be imposed for failure to comply with state law, some states also provide for private rights of action to individuals for certain misuses of personal information. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the "CCPA") requires covered businesses that process the personal information of California residents to, among other things: (i) provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; (ii) receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information; and (iii) enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Similar laws have passed in other states, and are continuing to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the U.S. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging and additional compliance investment and potential business process changes may be required. We also expect that there will continue to be new laws, regulations and industry standards concerning privacy, data protection and information security proposed and enacted in various jurisdictions. For example, Washington State enacted a broadly applicable law to protect the privacy of personal health information known as the "My Health My Data Act," which generally requires affirmative consent for the collection, use, or sharing of any "consumer health data." Consumer health data is defined to include personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health status; consumer health data also includes information that is derived or extrapolated from non-health information, such as algorithms and machine learning. Other states, including Connecticut and Nevada, have also passed consumer health data laws, and given the increased focus on the use of health data by entities that are not subject to HIPAA, additional states are expected to pass consumer health privacy laws. In the event that we are subject to or affected by new and/or existing privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. We are also or may become subject to rapidly evolving data protection laws, rules and regulations in foreign jurisdictions. For example, in Europe, we are subject to the requirements of the General Data Protection Regulation ("GDPR") (and national laws implementing the GDPR) because we are "established" in certain EU countries and we are processing personal data of individuals located in the EU and EEA in the context of these establishments, as well as offering of goods to, and/or monitoring the behavior of, individuals in the EU and EEA in connection with our clinical investigations. The GDPR, which went into effect in May 2018, imposes strict requirements for processing the personal data subject to the GDPR. If we do not comply with our obligations under the GDPR, we could be exposed to significant fines the greater of EUR 20 million or 4% of total global annual turnover for certain breaches. In addition to the foregoing, a breach of the GDPR could result in regulatory investigations, reputational damage, orders to cease/ change our use of data, enforcement notices, as well potential civil claims including class action type litigation where individuals suffer harm. Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States. Recent legal developments in Europe have created complexity and uncertainty regarding such transfers, in particular in relation to transfers to the United States, and the efficacy and longevity of current transfer mechanisms between the EEA, and the United States remains uncertain. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses (SCCs) (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism) alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the standard contract clauses cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Further, from January 1, 2021, we have to comply with both the GDPR and the GDPR as incorporated into United Kingdom national law, under the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (collectively, the "UK GDPR") which imposes separate but similar fines up to the greater of £17.5 million or 4% of global turnover. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the UK Government), as a UK GDPR data transfer mechanism to U.S. entities self-certified under the UK Extension to the DPF. We are also subject to evolving EU and EEA privacy laws on cookies and e-marketing. In the EU and the UK, informed consent is required for the placement of certain cookie or similar technologies on an individual's device and for direct electronic marketing. The GDPR also imposes conditions on obtaining valid consent for cookies, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. Recent European court and regulator decisions and guidance are driving increased attention to cookies and tracking technologies. If the trend of increasing enforcement by regulators of the strict approach to opt-in consent for all but essential use cases, as seen in recent guidance and decisions continues, this could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, and subject us to additional liabilities. In light of the complex and evolving nature of EU, EU Member State, and UK privacy laws on cookies and tracking technologies, there can be no assurances that we will be successful in our efforts to comply with such laws; violations of such laws could result in regulatory investigations, fines, orders to cease/ change our use of such technologies, as well as civil claims including class actions, and reputational damage. Any actual or perceived failure by us, our employees or contractors, our partners, our service providers, or the third parties with whom we work, to comply with privacy or security laws, policies, legal obligations or industry standards, or any security incident that results in the unauthorized release or transfer of personal information, may result in governmental enforcement actions and investigations including by EU regulators and U.S. federal and state regulatory authorities as well as fines and penalties, litigation, including by consumer advocacy groups, and/or adverse publicity and could cause our customers, their patients and other healthcare professionals to lose trust in us, which could harm our reputation and have a material adverse effect on our business, financial condition and results of operations.