Myriad Genetics (MYGN) Risk Analysis

We rely on a CLIA-certified facility in Salt Lake City, Utah to perform most of our tests; a CLIA-certified laboratory in South San Francisco, California to perform our Foresight, Prequel and FirstGene tests; a CLIA-certified laboratory in Mason, Ohio to perform our GeneSight test; and a laboratory in San Diego, California to perform our SneakPeek Early Gender DNA test. Our laboratories and the equipment we use to perform our tests would be difficult to replace and may require significant lead time to replace and qualify for use if they become inoperable. Some of our laboratories are located near active earthquake fault lines and in a region affected by wildfires, tornadoes, and flooding. We currently have no backup or redundant facility to perform each of our tests. In the event any of our testing facilities were to lose its CLIA certification or other required certifications or licenses or were affected by a pandemic or man-made or natural disaster, such as an earthquake, fire, severe weather, flooding, rising sea levels, other physical effects of climate change, power outages or contamination, we would be unable to continue our business, with respect to the tests performed at the particular facility or overall, at current levels to meet customer demands for a significant period of time. According to the U.S. Environmental Protection Agency, heat waves and large storms are likely to become more frequent or more intense with climate change, which could impact our operations. Although we maintain insurance on these facilities, including business interruption insurance, it may not be adequate to protect us from all potential losses if these facilities were damaged or destroyed. In addition, any interruption in our business would result in a loss of goodwill, including damage to our reputation. If our laboratory processes were interrupted, it would seriously harm our business.

We may from time to time be subject to government investigations, which may divert management resources and attention, cause us to incur substantial costs, and/or result in negative publicity, and any unfavorable outcome arising from such investigation may have a material adverse effect on our financial condition, results of operations and cash flows. For example, in June 2016, our wholly-owned subsidiary, Crescendo Bioscience, LLC (formerly known as Crescendo Bioscience, Inc.) (CBI), received a subpoena from the OIG requesting that CBI produce documents relating to entities that received payment from CBI for the collection and processing of blood specimens for testing, including a named unrelated company, healthcare providers and other third-party entities. On January 30, 2020, the U.S. District Court for the Northern District of California unsealed a qui tam complaint, filed on April 16, 2016 against CBI, alleging violations of the federal and California False Claims Acts and the California Insurance Fraud Prevention Act (CIFPA). On January 22, 2020, after a multi-year investigation into CBI's and our alleged conduct, the government declined to intervene in the case. On January 27, 2020, the State of California likewise filed its notice of declination. On April 1, 2022, we settled the qui tam lawsuit pursuant to which we paid a total of $45.25 million to the United States and the State of California and $2.75 million to relator's counsel. The qui tam lawsuit was formally dismissed by the U.S. District Court for the Northern District of California on May 4, 2022. We may be subject to future claims or investigations under the Federal False Claims Act or a similar state law, and any unfavorable outcome arising from such claims or investigation could have a material adverse effect on our financial condition, results of operations and cash flows.

We are, and may become, subject to numerous domestic and international data protection laws and regulations that address privacy and data security and may affect our collection, use, storage, and transfer of personal information. The legislative and regulatory landscape for data protection continues to rapidly evolve, and in recent years there has been an increasing focus on privacy and data security issues with the potential to affect our business. In the United States, numerous federal and state laws and regulations, including HIPAA, state data breach notification laws, state genetic testing laws, state health information privacy laws and federal and state consumer protection laws govern the collection, use, disclosure and protection of health-related and other personal and protected health information. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, which may create uncertainty in our business, affect our or our service providers' ability to operate in certain jurisdictions or to collect, store, transfer, use and share personal data, result in liability, or impose additional compliance or other costs on us. Failure, or perceived failure, to comply with these laws and regulations, where applicable, could result in government enforcement actions, which could include civil or criminal penalties, private litigation and/or adverse publicity, diversion of management time and effort, and could negatively affect our operating results and business. Our business relies on the collection, storage, analysis, and use of genetic and other sensitive health-related data, which may be subject to heightened privacy, consent, and data-use requirements. Laws and regulations governing genetic privacy and the permissible use of such data are evolving and may limit our ability to use genetic or health-related data for research, product development, quality improvement, or other secondary purposes, even where such data is anonymized or de-identified. Any failure, perceived failure, or alleged failure to comply with applicable genetic privacy or data-use requirements could result in regulatory enforcement actions, litigation, fines, reputational harm, or loss of customer and patient trust, which could adversely affect our business. HIPAA requires organizations like ours to develop and implement policies and procedures with respect to information that is protected under HIPAA, called protected health information, or PHI, that is created, used or disclosed in connection with our services, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA further requires organizations subject to HIPAA, called "covered entities" to notify affected individuals without unreasonable delay and in no case later than 60 calendar days following discovery, of certain unauthorized access, uses, or disclosures of PHI. If a breach affects 500 individuals or more in a particular state or jurisdiction, covered entities must report it to the HHS and local media contemporaneously with notice to affected individuals, and HHS will post information regarding the breach, including the name of the entity reporting the breach, on its public website. If a breach affects fewer than 500 individuals, the covered entity must notify HHS within the first 60 days of the following calendar year in which the breach occurred. Penalties for failure to comply with HIPAA are substantial and could include corrective action plans, and/or the imposition of civil monetary or criminal penalties. HIPAA also authorizes state attorneys general to enforce HIPAA on behalf of state residents. Courts can award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for HIPAA violations, its standards have been used as the basis for a duty of care claim in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Various U.S. states now regulate the processing of personal information. For example, California was the first of an increasing number of states to enact comprehensive state privacy legislation with the California Consumer Privacy Act (CCPA), which went into effect in January of 2020. The CCPA established a privacy framework for covered businesses by creating an expanded definition of personal information, establishing data privacy rights for California residents, requiring covered businesses to provide disclosures to California residents, and creating a statutory damages framework with the potential for severe damages for violations of the CCPA and for businesses that fail to implement reasonable security procedures and practices to prevent data breaches, as well as a private right of action for certain data breaches. Additionally in 2020, California voters passed the California Privacy Rights Act (CPRA), which went into effect on January 1, 2023. The CPRA significantly amended the CCPA, potentially resulting in further uncertainty, additional costs and expenses in an effort to comply and additional potential for harm and liability for failure to comply. Among other things, the CPRA established a new regulatory authority, the California Privacy Protection Agency, which enacts new regulations under the CPRA and has expanded enforcement authority. More U.S. states are enacting similar legislation, increasing compliance complexity and increasing risks of failures to comply. In 2023, comprehensive privacy laws in Virginia, Colorado, Connecticut, and Utah all took effect, and laws in Montana, Oregon, and Texas took effect in 2024. Laws in a number of other U.S. states took effect, or are set to take effect, in 2025, 2026, and beyond. Additional U.S. states have proposals under consideration, all of which are likely to increase our regulatory compliance costs and risks, exposure to regulatory enforcement action, and other liabilities. Likewise, the Federal Trade Commission and state attorneys general have been actively enforcing laws that protect consumers from unfair and deceptive acts or practices, including with respect to privacy and security. If our public statements regarding collection, use, storage or disclosure of personal information are or are perceived to be inconsistent with our actual practices, we may face claims under Section 5 of the Federal Trade Commission Act or state law equivalents. Numerous other countries have, or are developing, laws governing the collection, use and transmission of personal data as well. For example, the EU's GDPR became effective in 2018 and imposed a broad data protection framework that expanded the scope of EU data protection law, including to non-EU entities meeting the jurisdictional requirements that process, or control the processing of, personal data relating to individuals located in the EU, including clinical trial data. GDPR sets out a number of requirements for controllers and/or processors, as applicable, that must be complied with when handling the personal data of EU based data subjects, including: providing expanded disclosures about how their personal data will be used; higher standards for organizations to demonstrate that they have a legal basis to justify their data processing activities; the obligation to appoint data protection officers in certain circumstances; new rights for individuals to be "forgotten" and rights to data portability, as well as enhanced current rights (e.g., access requests); the principal of accountability and demonstrating compliance through policies, procedures, training and audit; and a new mandatory data breach regime. In particular, medical or health data, genetic data and biometric data are all classified as "special category" data under GDPR and afford greater protection and require additional compliance obligations. Further, EU member states have a broad right to impose additional conditions-including restrictions-on these data categories. This is because GDPR allows EU member states to derogate from the requirements of GDPR mainly in regard to specific processing situations (including special category data and processing for scientific or statistical purposes). GDPR is applicable to part of our business and has increased our responsibility and liability in relation to personal data that we process, and we may be required to put in place additional procedures to comply. GDPR is complex and regulatory guidance relating to GDPR compliance continues to evolve. Furthermore, national GDPR variations, including the fields of clinical study and other health-related information may raise our costs of compliance and result in greater legal risks. Relatedly, following Brexit and the expiration of the Brexit transition period, which ended on December 31, 2020, the EU GDPR has been implemented in the United Kingdom (as the UK GDPR). The UK GDPR sits alongside the United Kingdom Data Protection Act 2018 which implements certain derogations in the GDPR into UK law. Under the UK GDPR, companies not established in the United Kingdom but who process personal data in relation to the offering of goods or services to individuals in the United Kingdom, or to the monitoring of their behavior will be subject to the UK GDPR. At this time, the requirements of the UK GDPR are largely aligned with those under the GDPR and as such, may lead to similar compliance and operational costs with potential fines of up to £17.5 million or 4% of global turnover. We are also subject to evolving GDPR requirements on data export, because we transfer data to third countries outside of the EU that are not deemed "adequate." GDPR only permits exports of personal data outside of the EU to "non-adequate" countries where there is a suitable data transfer mechanism in place to safeguard personal data (e.g., the EU Commission approved Standard Contractual Clauses or certification under the newly-adopted Data Privacy Framework). On July 16, 2020, the Court of Justice of the EU (CJEU) issued a landmark opinion in the case Maximilian Schrems vs. Facebook (Case C-311/18) (Schrems II). This decision calls into question certain data transfer mechanisms as between the EU member states and the United States. The CJEU is the highest court in Europe and the Schrems II decision heightened the burden to assess United States national security laws on their business, and future actions of EU data protection authorities are difficult to predict at this time. While the newly-adopted Data Privacy Framework was meant to address the concerns raised by the CJEU in Schrems II, it will likely be subject to future legal challenges. Consequently, there is some risk of any data transfers from the EU being halted. If we have to rely on third parties to carry out services for us, including processing personal data on our behalf, we are required under GDPR to enter into contractual arrangements to flow down or help ensure that these third parties only process such data according to our instructions and have sufficient security measures in place. Any security breach or non-compliance with our contractual terms or breach of applicable law by such third parties could result in enforcement actions, litigation, fines and penalties or adverse publicity and could cause customers to lose trust in us, which would have an adverse impact on our reputation and business. Any contractual arrangements requiring the processing of personal data from the EU to us in the U.S. will require greater scrutiny and assessments as required under Schrems II and may have an adverse impact on cross-border transfers of personal data or increase costs of compliance. GDPR provides an enforcement authority to impose large penalties for noncompliance, including the potential for fines of up to €20 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. Applicable data privacy and data protection laws may conflict with each other, and by complying with the laws or regulations of one jurisdiction, we may find that we are violating the laws or regulations of another jurisdiction. Despite our efforts, we may not have fully complied with all applicable data privacy and data protection laws in the past and we may not do so in the future. Compliance with such laws and regulations could require us to incur significant expenses or modify our practices, each of which could adversely affect our business. Failure to comply with data protection laws may expose us to risk of enforcement actions taken by data protection authorities or other regulatory agencies, private rights of action in some jurisdictions, and potential significant penalties if we are found to be non-compliant. Furthermore, the number of government investigations related to data security incidents and privacy violations continue to increase and government investigations typically require significant resources and generate negative publicity, which could harm our business and reputation.

We may not succeed in achieving significant commercial market acceptance of our test offerings that we have launched or acquired in recent years or are currently developing. Our ability to successfully develop and commercialize our current tests, as well as any future tests that we may develop or acquire, depend on several factors, including: - our ability to convince the medical community and consumers of the utility of our tests and their potential advantages over existing tests or other competing products or services;- our ability to market current and future products in new and existing channels;- our ability to collaborate with biotechnology and pharmaceutical companies to develop and commercialize companion diagnostic tests for their therapeutic drugs and drug candidates;- the agreement by third-party payors to reimburse our tests, the scope and extent of which will affect patients' willingness or ability to pay for our tests and will likely heavily influence physicians' decisions to recommend our tests; and/or - the willingness of physicians to utilize our diagnostic tests, which can be difficult to interpret as our tests only predict as to a probability, not certainty, that a tested individual will develop the disease, will benefit from a particular therapy or has an aggressive form of the disease that the test is intended to predict. These factors present obstacles to commercial acceptance of our tests, which we would have to spend substantial time and money to overcome, if we can do so at all. Our inability to successfully do so would harm our business. The tests we enhance or develop may not be clinically effective in clinical trials or commercially, or may not ultimately meet our desired target product profile, be offered at acceptable cost and with the test performance metrics necessary to address the relevant clinical need or commercial opportunity. We also may experience difficulties completing the clinical development of any new or enhanced product, or establishing or maintaining the collaborative relations that may be essential to our clinical development and commercialization efforts. Clinical development requires large numbers of patient specimens and, for certain products, require large, prospective, and controlled clinical trials. We may not be able to enroll patients or collect a sufficient number of appropriate specimens in a timely manner, or we may experience delays during clinical development due to slower than anticipated enrollment, or due to changes in study or trial design or other unforeseen circumstances, or we may be unable to afford or manage the large-sized clinical trials that some of our planned future products may require. In addition, the publication of clinical data in peer-reviewed journals is an important step in commercializing and obtaining reimbursement for tests such as ours, and our inability to control when, if ever, results are published may delay or limit our ability to derive sufficient revenues from any test that is the subject of a study or trial. Peer-reviewed publications regarding our tests may be limited by many factors, including delays in the completion of, poor design of, or lack of compelling data from, studies and clinical trials, as well as delays in the review, acceptance and publication process. If our tests or the technology underlying our current or future tests do not receive sufficient favorable exposure in peer-reviewed publications, the rate of clinician adoption of our tests and positive reimbursement coverage determinations for our tests could be negatively affected. In addition, for any of the foregoing reasons or otherwise, our anticipated timeline to launch new test offerings, such as First Gene and Precise MRD, may not occur at the time we expect, which could negatively impact our ability to gain commercial market acceptance or successfully commercialize any new test offerings.

Our registered and unregistered trademarks, service marks, or trade names could be infringed by third parties. Enforcing our rights against such third parties can be expensive and distracting. If we fail to effectively enforce such rights against third parties, our trademark, service mark or trade name rights, and the associated goodwill and brand equity, could be lost. We file applications for registration of various marks associated with our brands in the United States and foreign jurisdictions. We may fail to successfully register these marks. Additionally, once a mark is registered, we may fail to pay all fees and attend to all formalities required to maintain the registration. Failure to obtain or maintain registration of our marks could make those marks harder to enforce and reduce the liability of an infringer even if we are able to successfully enforce such rights.

Artificial intelligence (AI) is increasingly shaping industries worldwide, including life sciences and healthcare. We have implemented certain AI technologies into our operations to improve efficiency and drive innovation, and we may further expand our use of AI as the technology continues to evolve, including in connection with data analytics, laboratory processes, and the development of AI-enabled products or decision-support tools. However, AI innovation also introduces risks and challenges that could impact our business. Our employees and contractors may also use AI technologies in the course of their work, including tools provided by third parties that we do not fully control. AI algorithms may be flawed, datasets may be insufficient or biased, and ineffective AI development or deployment could lead to compliance violations, cybersecurity risks, and other adverse consequences. AI-based systems may also be subject to model drift over time or unanticipated use cases. Potential risks include breaches of confidentiality and privacy obligations, noncompliance with applicable laws and regulations, threats to intellectual property rights, including not only the leakage of our proprietary information but also the risk that AI-generated outputs may infringe third-party intellectual property rights, and the misuse of personally identifiable information, including protected health information. Additionally, overreliance on AI or dependence on a specific model or vendor may limit our flexibility, increase costs, or expose us to operational risks if the AI provider modifies or discontinues its services or increases its costs. Any of these issues could materially and adversely affect our business, financial condition, and results of operations. A growing number of legislators and regulators in the U.S. and globally are adopting laws and regulations and have focused enforcement efforts on the adoption of artificial intelligence, and use of such technologies in compliance with ethical standards and societal expectations. These developments may increase our compliance burden and costs in connection with use of artificial intelligence and lead to legal liability if we fail to meet evolving legal standards or if use of such technologies results in harms or other causes of action we did not predict. For example, the EU's Artificial Intelligence Act, or AI Act, entered into force on August 1, 2024, with most provisions becoming effective on August 2, 2026. This legislation imposes significant obligations on providers and deployers of artificial intelligence systems and encourages providers and deployers of artificial intelligence systems to account for EU ethical principles in their development and use of these systems. The scope of requirements depends on legal and risk determinations that rely on novel legal provisions that have not yet been interpreted by courts or regulators, and non-compliance can lead to significant fines. Likewise, in the U.S., several states, including Colorado and California, passed laws that will take effect in 2026, to regulate various uses of artificial intelligence, including to make consequential decisions. In addition, various federal regulators have issued guidance and focused enforcement efforts on the use of AI in regulated sectors. If we develop or use AI systems governed by these rapidly developing laws or regulations, we will need to meet higher standards of data quality, transparency, monitoring, and human oversight, and we may need to adhere to specific and potentially burdensome and costly ethical, accountability, and administrative requirements, with the potential for significant enforcement or litigation in the event of any perceived non-compliance.

We currently rely on a small number of suppliers, or, in some cases, single-source suppliers, to provide our gene sequencing equipment, content enrichment equipment, multiplex protein analysis equipment, robots, and specialty reagents and other laboratory supplies required in connection with our testing and research and development activities. We believe that currently there are limited alternative suppliers of the equipment, robots, reagents and certain other supplies that we use in our business. The equipment, robots, reagents or other supplies may not remain available in commercial quantities at acceptable costs, or at all. In addition, we rely upon a limited number of commercial delivery services to provide us with laboratory supplies, and the disruption of such delivery services could adversely impact our business. If we are unable to obtain when needed additional or alternative equipment or robots, or an adequate supply of reagents or other ingredients or supplies at commercially reasonable rates, our ability to continue to identify genes and perform testing would be adversely affected. In addition, any loss of, or failure to perform by, a single-source supplier could have a disruptive effect on our business, including our ability to perform testing, and could adversely affect our results of operations. Furthermore, we rely on third-party laboratories and phlebotomy clinics to perform specimen collection services for us for patients taking some of our tests such as our Prequel non-invasive prenatal screening test. In some locations, we rely on a limited number of third-party laboratories and phlebotomy clinics to perform these specimen collection services for us. The inability or refusal of a third-party laboratory or phlebotomy clinic to provide these services to us could significantly impede our ability to test patients and, consequently, could adversely affect our business. In addition, the consolidation of large laboratories and phlebotomy clinics may decrease the specimen collection facility options that are available to us, thus amplifying the risk if access to the remaining laboratories and phlebotomy clinics is denied or delayed. Further, disruption in the global supply chain related to hostilities in Ukraine and the Middle East or elsewhere could impact our supply chain. While we have not experienced material supply chain disruptions related to these global hostilities to date, we are unable to predict how these conflicts will develop or guarantee that we will not experience material supply chain disruptions in the future.

We may determine to sell, limit, or discontinue certain existing products or services, which could adversely affect our business, results of operations, and financial condition. For example, we currently expect to discontinue sales of our EndoPredict test in the United States during the first half of 2026. As part of our regular evaluation of product performance and strategic fit, and in response to changes in clinical practice, reimbursement, regulatory requirements, competitive dynamics, or other market conditions, we may decide that certain offerings no longer meet our objectives and should be modified, transitioned, or discontinued. We cannot assure that we have correctly forecasted, or will correctly forecast in the future, which products or services to modify or discontinue, or that any such decision will achieve its intended objectives. A discontinuation or transition may not reduce operating expenses and could result in additional costs and liabilities, including costs associated with operational changes (such as changes to ordering, billing, logistics, and customer support), inventory or supply chain adjustments, and potential disputes with customers, distributors, suppliers, or other partners. If we elect to sell a product line or related assets, we may be unable to find a suitable buyer on acceptable terms, or at all. In addition, discontinuing an offering could disrupt relationships with customers and providers and adversely impact future sales. If we are unable to effectively manage product discontinuations or transitions, our business and results of operations could be materially adversely affected.

Changes in United States trade policy, including recently announced or potential future tariffs, could have a material adverse impact on our business, financial condition, and results of operations. The imposition of new tariffs or increases in existing tariffs on goods imported from or expected to be imported from countries where we or our suppliers operate could result in higher costs for materials or components essential to our operations. These increased costs may reduce our margins, necessitate price adjustments, or impact the affordability and competitiveness of our offerings. Additionally, retaliatory tariffs imposed by other countries on U.S. exports could delay delivery of supplies to us and adversely affect our ability to operate or grow in certain international markets. If we are unable to effectively mitigate these risks through supply chain adjustments, pricing strategies, or other measures, our financial performance and growth trajectory could be materially affected.