Lifestance Health Group (LFST) Risk Analysis

The privacy and security of PII stored, maintained, received or transmitted electronically is a significant issue in the United States. While we strive to comply with all applicable privacy and security laws and regulations, as well as our own posted privacy policies, legal standards for privacy, including but not limited to "unfairness" and "deception," as enforced by the Federal Trade Commission and state attorneys general and comprehensive privacy laws in more than 20 states, continue to evolve. Our failure or perceived failure to comply may result in proceedings or actions against us by government entities or others, or could cause us to lose customers, which could have a material adverse effect on our business. Recently, there has been an increase in public awareness of privacy issues and in the number of private privacy-related lawsuits filed against companies. Any allegations about us, our supported practices or our supported clinicians with regard to the collection, processing, use, disclosure, or security of PII or other privacy-related matters, even if unfounded, could damage our reputation and harm our business. We also publish statements to our patients and stakeholders that describe how we handle and protect personal information. If federal or state regulatory authorities or private litigants consider any portion of these statements to be deceptive or misleading, either by what was said or what is omitted, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims and complying with regulatory or court orders. Numerous federal and state laws and regulations govern collection, dissemination, use and confidentiality of personally identifiable health information, including state privacy and confidentiality laws (including state laws requiring notification of data breaches) and HIPAA. HIPAA establishes a set of baseline national privacy and security standards for the protection of PHI, by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services, which includes us. Certain of our entities and supported practices are covered entities, while our management service entities are business associates. HIPAA requires covered entities and business associates to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. HIPAA imposes mandatory penalties for certain violations. Penalties for violations of HIPAA and its implementing regulations include civil monetary penalties of up to $71,162 per violation, not to exceed $2,134,831 for violations of the same standard in a single calendar year (as of 2024, and subject to periodic adjustments for inflation). However, a single breach incident can result in violations of multiple standards, which could result in significant fines. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA may face a criminal penalty of up to $50,000 and up to one-year of imprisonment. The criminal penalties increase if the wrongful conduct involves false pretenses or the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm, with a maximum fine of $250,000 and maximum imprisonment of ten years. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. While HIPAA does not create a private right of action allowing individuals to bring lawsuits in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Any such penalties or lawsuits could harm our business, financial condition, results of operations and prospects. In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA covered entities or business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the Civil Monetary Penalty fine paid by the violator. HIPAA further requires that patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public website. Breaches affecting 500 patients or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. Further, the HHS OCR published a proposed rule in January of 2021, which, among other things calls for greater care coordination and an individual's rights to access patient records. The proposed rule specifically encourages the disclosure of PHI when needed to help individuals experiencing substance use disorder, serious mental illness and in emergency circumstances. The proposed rule is subject to a regulatory suspension announced by the Biden administration and we do not know when (or if) the final rule will be published or whether there may be additional changes to the regulations, but when it is, we will need to evaluate and potentially update our HIPAA regulatory programs and documentation to ensure compliance with such requirements. Additionally, online tracking technologies generally used to collect and analyze information about user behavior and enhance the user experience may qualify as HIPAA violations and result in sanction. In December 2022, OCR issued a bulletin titled, "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates," which sets forth broad-reaching guidance for HIPAA covered entities and their business associates that utilize online tracking technologies on their webpages and applications. In the guidance, OCR takes the position that when individuals use regulated entities' websites, the individual information gleaned from that use (including, in certain circumstances, IP address, geographic location, or other unique identifying code) may include PHI, and such information cannot be disclosed to a tracking vendor in a manner that would constitute an impermissible disclosure under HIPAA (e.g., disclosure without a valid HIPAA authorization or business associate agreement ("BAA")). In March 2024, the OCR updated its 2023 guidance on the use of online tracking technologies on webpages and applications by HIPAA covered entities and business associates to address the disclosure of individually identifiable health information through unauthenticated, public-facing webpages. The guidance was subject to court challenge, and its interpretation and enforcement remain subject to ongoing developments. There have been several class action lawsuits, including against LifeStance, asserting that HIPAA covered entities and business associates improperly used or disclosed PHI through online tracking technologies. See "-Risks Related to Our Business and Our Industry-Litigation, including in connection with commercial disputes or employment claims, against us could be costly and time-consuming to defend." HHS OCR additionally published a final rule in April 2024 modifying existing standards permitting uses and disclosures of PHI when the PHI pertains to reproductive healthcare, which is defined broadly and may capture mental health treatment provided to women surrounding subjects such as pregnancy, miscarriage, abortion, and fertility. The final rule became effective June 25, 2024, with compliance required by December 23, 2024, and generally prohibits the use or disclosure of PHI by a covered entity when said use or disclosure is to be used to conduct a criminal, civil, or administrative investigation into or impose a related liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive healthcare, when such healthcare is lawful under the circumstances in which it is provided. Covered entities are similarly prohibited from disclosing PHI to identify any person for the purpose of conducting such investigation or imposing such liability. To implement this prohibition, covered entities that receive a request for PHI potentially related to reproductive healthcare are required to obtain a signed attestation that the use or disclosure of said PHI is not for a prohibited purpose, when said request is for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners. Compliance with this new rule will require careful monitoring of the evolving landscape of state laws surrounding reproductive healthcare so that we may remain compliant with both state and federal laws. We may also be required to comply with the Federal Substance Abuse Confidentiality Regulations, known as 42 C.F.R. Part 2. In July 2020, new regulations overhauled these laws to better align with HIPAA and to facilitate better coordination of care in response to the opioid epidemic. On December 2, 2022, HHS OCR published a proposed rule containing proposals to implement the CARES Act provisions, which bring Part 2 in alignment with HIPAA including, among other things, expanding the scope of permitted disclosures of substance use disorder treatment records and applying HIPAA's breach notification standards to breaches of records protected by Part 2. Notice of Privacy Practices and arrangements with business associates and qualified service organizations will also need to be adjusted accordingly. The Final Rule, which was published in February 2024, aligned Part 2 penalties with civil and criminal enforcement authorities that apply to HIPAA violations. Under the Final Rule, the penalties for Part 2 violations have increased, rising from up to $5,000 for individuals and $10,000 for organizations on a per-violation basis to a $50,000 maximum penalty for failure to comply with the Part 2 requirements and a $250,000 maximum penalty for wrongful disclosure of individually identifiable health information. Additional changes in the Final Rule further harmonize Part 2 with HIPAA and include aligning data breach notification protocols with the HIPAA Breach Notification Rule; allowing single consents for disclosures related to treatment, payment and healthcare operations; and aligning Part 2 Patient Notice requirements with requirements of the HIPAA Notice of Privacy Practices. We will have until February 2026 to comply. Further, the U.S. federal government and various states and governmental agencies have adopted or are considering adopting various laws, regulations and standards regarding the collection, use, retention, security, disclosure, transfer and other processing of sensitive and personal information. For example, California implemented the California Confidentiality of Medical Information Act, which imposes restrictive requirements regulating the use and disclosure of health information and other personally identifiable information. These laws and regulations are not necessarily preempted by HIPAA, particularly if a state affords greater protection to individuals than HIPAA. Where state laws are more protective, we have to comply with the stricter provisions. In addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA") gives California residents certain privacy rights in the collection and use of their personal information, and take certain other acts in furtherance of those rights. Failure to comply with the CCPA may result in, among other things, civil penalties of up to $7,500 per violation, as well as a private right of action for certain data breaches. Additionally, California created a data protection agency authorized to implement and enforce the CCPA, which could result in increased enforcement. While the CCPA contains an exemption for PHI subject to HIPAA, we may process other personal information that is subject to the CCPA. In addition, almost 20 other states have now passed comprehensive privacy laws that have taken effect or will come into effect at various times over the next few years. These comprehensive state privacy laws also provide exemptions for PHI subject to HIPAA or exempt covered entities and business associates entirely. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects and could restrict the way services involving data are offered, all of which may adversely affect our results of operations. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. State laws are changing rapidly and there is discussion in Congress of a new federal data protection and privacy law to which we may be subject. We will need to continue to evaluate our privacy program as the implementation of the law evolves and may need to make further modifications to our programs, which, if we fail to do so as required, may expose us to liability. There are many other federal and state-based data privacy and security laws and regulations that may impact our business. For example, federal, state and local privacy and consumer protection laws also govern specific technologies that we employ or how we market to, and otherwise communicate with, individuals. For example, the Controlling the Assault of Non-Solicited Pornography and Marketing Act and the Telephone Consumer Protection Act ("TCPA") impose specific requirements on communications with consumers. The TCPA and analogous state laws, for instance, impose various consumer consent requirements and other restrictions on communications with consumers by phone, fax or text message. TCPA violations can result in significant financial penalties, including penalties or criminal fines imposed by the Federal Communications Commission or fines of up to $1,500 per violation imposed through private litigation or by state authorities. The TCPA provides for substantial penalties and statutory damages and has generated significant class action activity. The costs of litigating and/or settling a TCPA or similar legal claim could be significant. The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our clients and potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify. Changes in laws or regulations associated with the enhanced protection of certain types of sensitive data, such as PHI or PII, along with increased customer demands for enhanced data security, could greatly increase our cost of providing our services, decrease demand for our services, reduce our revenue and/or subject us to additional liabilities. In addition to the applicable federal and state laws, we are also subject to PCI DSS, a self-regulatory standard that requires companies that process payment card data to implement certain data security measures. If we or our payment processor fail to comply with the PCI DSS, we may incur significant fines or liability and lose access to major payment card systems. Our systems are subject to annual review under the PCI DSS requirements, and we have historically had, may now have, and may have in the future have items that require improvement. Industry groups may in the future adopt additional self-regulatory standards by which we are legally or contractually bound. The evolving patchwork of differing state and federal privacy and data security laws increases the cost and complexity of operating our business and increases our exposure to liability, including from third-party litigation and regulatory investigations, enforcement, fines and penalties. The scope and enforcement of each of these laws is uncertain and subject to rapid change, particularly, in the current environment of healthcare reform. Federal and state enforcement bodies have recently increased their scrutiny of interactions between healthcare companies and healthcare providers, which has led to a number of investigations, prosecutions, convictions and settlements in the healthcare industry. Any such investigations, prosecutions, convictions or settlements could result in significant financial penalties, damage to our brand and reputation, and a loss of customers, any of which could have an adverse effect on our business.

We believe that developing and maintaining widespread awareness of our brand and maintaining our reputation for delivering high-quality care to patients is important to attract new patients and clinicians and maintain existing patients and clinicians. In addition, we have a growing number of strategic relationships with primary care and other specialist physician partners to develop our integrated care model and referral networks. Market acceptance of our services and patient acquisition depends on educating people, as well as payors and partners, as to the distinct features, ease-of-use, positive lifestyle impact, efficacy, quality and other perceived benefits of our platform as compared to alternatives. In particular, market acceptance is dependent on our ability to sufficiently saturate a particular geographic area to deliver care to local patients. The level of saturation required depends on the needs of the local market and the preferences of the patients in that market. Further, we rely on referrals and placed advertisements to spread brand awareness. Referrals are dependent on patients relaying positive experiences with our services and clinicians. If we are not successful in demonstrating to existing and potential patients, clinicians and payors the benefits of our platform, if we are not able to sufficiently saturate a market in convenient locations for patients, or if we are not able to achieve the support of payors and physician partners for our model and services, we could experience lower than expected patient retention. Further, the loss or dissatisfaction of patients or clinicians may substantially harm our brand and reputation, inhibit widespread adoption of our services, reduce our revenue, and impair our ability to attract or retain patients and clinicians. Our brand promotion activities may not generate awareness or increase revenue and, even if they do, any increase in revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, we may fail to attract or retain patients, clinicians, payors and physician partners necessary to realize a sufficient return on our brand-building efforts or to achieve the widespread brand awareness we seek.

Our business involves the storage and transmission of proprietary information and sensitive or confidential data, including personal information of employees and others, as well as the PHI of our patients. Several laws and regulations require us to keep this information secure. Because of the extreme sensitivity of the information we store and transmit, the security features of our and our third-party vendors' computer, network and communications systems infrastructure are critical to the success of our business. Our security features and processes or our vetting and oversight of third parties and related hardware and software may not be sufficient for all circumstances. We also exercise limited control over third-party vendors and their computer systems and choice of software, which increases our vulnerability to problems with the technology and information services they provide. Third parties may use our data in ways that violate their contractual commitment or that we did not appreciate or anticipate when contracting. While we have implemented processes, procedures and controls designed to help mitigate risk and protect the integrity, confidentiality and security of the confidential and personal information under our control, we cannot assure you that any security measures that we or our third-party service providers implement will be effective in preventing security incidents, disruptions, cyberattacks, or other similar events. Determined threat actors would likely be able to penetrate our security or the security of our vendors with enough skills, resources, and time, and they may evade detection for extended periods of time. A breach or failure of our or our third-party vendors' network, hosted service providers or vendor systems could result from a variety of circumstances and events, including third-party action, employee negligence or error, malfeasance, computer viruses, cyber-attacks by computer hackers such as denial-of-service, ransomware, business email compromise, and phishing attacks, nation-state attacks, political protests, failures during the process of upgrading or replacing software and databases, power outages, hardware failures, telecommunication failures, software errors or incompatibility, user errors or catastrophic events. Information security risks have generally increased in recent years because of the proliferation of new technologies and the increased sophistication and activities of perpetrators of cyber-attacks. Hackers and data thieves are increasingly sophisticated and operating large-scale and complex automated attacks, including on companies within the healthcare industry. We are also dependent on a technology supply chain that involves many third parties, some of whom may not be known to us, and each of these companies may also be a source of potential risk to our patients, operations and reputation. In addition, the competition for talent in the data privacy and cybersecurity space is intense, and we may be unable to hire, develop or retain suitable talent capable of adequately detecting, mitigating or remediating these risks. Our failure to adhere to, or successfully implement processes in response to, evolving cybersecurity threats and changing legal or regulatory requirements in this area could result in legal liability or damage to our reputation in the marketplace. As cyber threats continue to evolve, we and our third-party vendors may be unable to anticipate all potential threats. We may be required to expend additional resources to further enhance our information security measures and/or to investigate and remediate any information security vulnerabilities. If our or our third-party vendors' security measures fail or are breached, it could result in unauthorized persons accessing sensitive patient data (including PHI), a loss of or damage to our data, or an inability to access data sources, process data or provide our services to our patients. A security incident may even remain undetected for an extended period, and we or our third-party vendors may be unable to anticipate such threats and attacks or implement adequate preventive measures. For example, in February 2024, UnitedHealth Group announced that its Change Healthcare information technology systems were being taken offline for an undefined period, which impacted our operations, including our ability to process insurance claims, collect payments and confirm insurance eligibility of patients, and the ability of third-party pharmacies to fill electronic prescriptions our clinicians write for patients. Such failures or breaches of our or our third-party vendors' security measures, or our or our third-party vendors' inability to effectively resolve such failures or breaches in a timely manner, could severely damage our reputation, adversely affect patient, provider or investor confidence in us, and reduce the demand for our services from existing and potential patients. In addition, we could face litigation (including class action claims), damages for breach of contract, monetary penalties or regulatory actions for violation of applicable laws or regulations, and incur significant costs to comply with applicable data breach notification laws and to implement remedial measures to prevent future occurrences and mitigate past incidents. Although we maintain insurance coverage that may cover certain liabilities and expenses in connection with security breaches and other security incidents, we cannot be certain that our insurance coverage will be sufficient to compensate for all liability, that insurance will continue to be available to us on commercially reasonable terms (if at all), or that any insurer will not deny coverage as to any future claim, and in any event, insurance coverage would not address the reputational damage that could result from a security incident. As cybersecurity threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. The inability to implement, maintain and upgrade adequate safeguards could have a material adverse effect on our business.

Our business is dependent on maintaining effective information systems as well as the integrity and timeliness of the data we use to serve our patients, support our clinicians and payor partners and operate our business. Because of the large amount of data that we collect and manage, it is possible that hardware failures or errors in our systems could result in data loss or corruption or cause the information that we collect to be incomplete or contain inaccuracies that our partners regard as significant. If our data were found to be inaccurate or unreliable due to fraud or other error, or if we, or any of the third-party vendors we engage, were to fail to maintain information systems and data integrity effectively, we could experience operational disruptions that may impact our patients and clinicians and hinder our ability to provide care to patients, retain and attract patients, establish reserves, report financial results timely and accurately and maintain regulatory compliance, among other things. Furthermore, as we implement new systems and/or upgrade existing systems, we increase our risk of temporary or prolonged disruptions that could adversely affect our business and we are exposed to increased risk of cybersecurity breaches and failures. Our information technology strategy and execution are critical to our continued success. We must continue to invest in long-term solutions that will enable us to anticipate patient needs and expectations, enhance the patient experience, act as a differentiator in the market, protect against rapidly changing cybersecurity risks and threats, and keep pace with evolving privacy and security laws, requirements and regulations, including changes in payment regimes such as the PCI DSS. Our success is dependent, in large part, on maintaining the effectiveness of existing technology systems and continuing to deliver and enhance technology systems that support our business processes in a cost-efficient and resource-efficient manner. We have identified certain weaknesses with respect to our IT function. See "-Risks Related to Our Common Stock-We have identified material weaknesses in our internal control over financial reporting and may identify additional material weaknesses in the future or fail to maintain an effective system of internal control over financial reporting. If our remediation of the material weaknesses is not effective, or we fail to develop and maintain effective internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired, which could harm our business and negatively impact the value of our common stock." Increasing regulatory and legislative changes place additional demands on our information technology infrastructure that could have a direct impact on resources available for other projects tied to our strategic initiatives for our technology platform. In addition, recent trends toward greater patient engagement in healthcare require new and enhanced technologies, including more sophisticated applications for mobile devices. Connectivity among technologies is becoming increasingly important. We and our third-party vendors must also develop new systems to meet current market standards and keep pace with continuing changes in information processing technology, evolving industry and regulatory standards and patient needs. Failure to do so may present compliance challenges and impede our ability to deliver care to patients in a competitive manner. Further, because system development projects are long-term in nature, they may be more costly than expected to complete and may not deliver the expected benefits upon completion. Additional development projects may be needed or arise in the future and we may not have the necessary resources to complete such development projects. Further, the technological advances of our competitors or future competitors may result in our technologies or future technologies becoming uncompetitive or obsolete. Our failure to effectively invest in, implement improvements to and properly maintain the uninterrupted operation and data integrity of our information technology and other business systems could adversely affect our results of operations, financial condition and cash flow. Similarly, if our third party vendors fail to effectively invest in, implement improvements to and properly maintain the uninterrupted operation and data integrity of their own information technology systems, interruptions in their systems or network may result in disruptions of our own systems and business operations.

We may be adversely affected by patients' unwillingness to pay for treatment by our clinicians. Higher numbers of unemployed individuals generally translate into more individuals without healthcare insurance to help pay for services, thereby increasing the potential for persons to elect not to seek treatment if they cannot afford to self-pay. Growth of patient receivables or deterioration in the ability to collect on these accounts, due to changes in economic conditions or otherwise, could have an adverse effect on our business, results of operations and financial condition. In addition, patients with high deductible insurance plans may be less likely to seek treatment as a result of higher expected out-of-pocket costs.

Our centers may be harmed or rendered inoperable by natural or man-made disasters, including earthquakes, hurricanes, power outages, fires, floods, nuclear disasters and acts of terrorism or other criminal activities, which make it difficult or impossible for us to operate our business for some period of time. Although we deliver care in both in-person and digital settings, such disruptions in our operations could negatively impact our business and results of operations and harm our reputation. Although we maintain an insurance policy covering damage to property we lease, such insurance may not be sufficient to compensate for losses that may occur. Any such losses or damages could harm our business, financial condition and results of operations. In addition, our physician partners' facilities may be harmed or rendered inoperable by such natural or man-made disasters, which may cause disruptions, difficulties or other negative effects on our business and operations, with respect to our integrated care model.