Nano-X Imaging (NNOX) Risk Factors

We are, and may in the future become, subject to litigation or claims arising in or outside the ordinary course of business that could negatively affect our business operations and financial condition, including securities class actions and shareholder derivative actions, both of which are typically expensive to defend. Such claims and litigation proceedings may be brought by third parties, including our customers, competitors, advisors, service providers, partners or collaborators, employees, and governmental or regulatory bodies. For example, we currently have two securities class-action complaints pending against us and certain current officers and a director, asserting violations of federal securities laws and seeking unspecified damages. We believe these lawsuits are without merit and intend to defend this case vigorously. In addition, the Division of Enforcement of the SEC is conducting an investigation to determine whether there had been any violations of the federal securities laws, and the duration and outcome of this matter cannot be predicted at this time. See “Item 4. Information on the Company—B. Business Overview—Legal Proceedings.” The outcome of any litigation and SEC inquiry, regardless of its merits, is inherently uncertain and may differ substantially from our expectations. Any claims and lawsuits, and the disposition of such claims and lawsuits, or SEC inquiry could be time-consuming and expensive to resolve, divert management attention and resources, and lead to attempts on the part of other parties to pursue similar claims. We may not be able to determine the amount of any potential losses and other costs we may incur due to the inherent uncertainties of litigation and settlement negotiations. In the event we are required or decide to pay amounts in connection with any claims, lawsuits or SEC inquiry, such amounts could be significant and could have a material adverse impact on our liquidity, business, financial condition and results of operations. In addition, depending on the nature and timing of any such dispute, a resolution of a legal matter could materially affect our future operating results, our cash flows or both.

We expect to receive health information and other highly sensitive or confidential information and data of patients and other third parties (e.g., healthcare providers who refer patients for scans), which we expect to compile and analyze. Collection and use of this data might raise privacy and data protection concerns, which could negatively impact our business. There are numerous federal, state and international laws and regulations regarding privacy, data protection, information security, and the collection, storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other data, and the scope of such laws and regulations may change, be subject to differing interpretations, and may be inconsistent among countries and regions we intend to operate in (e.g., the United States, the European Union and Israel), or conflict with other laws and regulations. The regulatory framework for privacy and data protection worldwide is, and is likely to remain for the foreseeable future, uncertain and complex, and this or other actual or alleged obligations may be interpreted and applied in a manner that we may not anticipate or that is inconsistent from one jurisdiction to another and may conflict with other rules or practices including ours. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, or disclosure of data, or their interpretation, or any changes regarding the manner in which the consent of relevant users for the collection, use, retention, or disclosure of such data must be obtained, could increase our costs and require us to modify our services and candidate products, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and process patients’ data or develop new services and features. In particular, we will be subject to U.S. data protection laws and regulations (i.e., laws and regulations that address privacy and data security) at both the federal and state levels. The legislative and regulatory landscape for data protection continues to evolve, and in recent years there has been an increasing focus on privacy and data security issues. Numerous federal and state laws, including state data breach notification laws, state health information privacy laws, and federal and state consumer protection laws, govern the collection, use, and disclosure of health-related and other personal information. Failure to comply with such laws and regulations could result in government enforcement actions and create liability for us (including the imposition of significant civil or criminal penalties), private litigation and/or adverse publicity that could negatively affect our business. For instance, California enacted the California Consumer Privacy Act (“CCPA”) on June 28, 2018, which took effect on January 1, 2020. The CCPA creates individual privacy rights for California consumers and increases the privacy and security obligations of entities handling certain personal data. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. Further, the California Privacy Rights Act (“CPRA”), recently passed in California. The CPRA will impose additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It will also create a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the provisions will go into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. The CCPA and the CPRA may increase our compliance costs and potential liability, and many similar laws have been proposed at the federal level and in other states. In addition, we expect to obtain health information that is subject to privacy and security requirements under HITECH and its implementing regulations. The Privacy Standards and Security Standards under HIPAA establish a set of standards for the protection of individually identifiable health information by health plans, health care clearinghouses and certain health care providers, referred to as Covered Entities, and the business associates with whom Covered Entities enter into service relationships pursuant to which individually identifiable health information may be exchanged. Notably, whereas HIPAA previously directly regulated only Covered Entities, HITECH makes certain of HIPAA’s privacy and security standards also directly applicable to Covered Entities’ business associates. As a result, both Covered Entities and business associates are now subject to significant civil and criminal penalties for failure to comply with Privacy Standards and Security Standards. As part of our normal operations, we expect to collect, process and retain personal identifying information regarding patients, including as a business associate of Covered Entities, so we expect to be subject to HIPAA, including changes implemented through HITECH, and we could be subject to criminal penalties if we knowingly obtain or disclose individually identifiable health information in a manner that is not authorized or permitted by HIPAA. A data breach affecting sensitive personal information, including health information, also could result in significant legal and financial exposure and reputational damages that could potentially have an adverse effect on our business. HIPAA requires Covered Entities (like many of our potential customers) and business associates, like us, to develop and maintain policies and procedures with respect to protected health information that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HITECH expands the notification requirement for breaches of patient-identifiable health information, restricts certain disclosures and sales of patient-identifiable health information and provides for civil monetary penalties for HIPAA violations. HITECH also increased the civil and criminal penalties that may be imposed against Covered Entities and business associates and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce HIPAA and its implementing regulations and seek attorney’s fees and costs associated with pursuing federal civil actions. Additionally, certain states have adopted comparable privacy and security laws and regulations, some of which may be more stringent or broader in scope than HIPAA. Internationally, many jurisdictions have or are considering enacting privacy or data protection laws or regulations relating to the collection, use, storage, transfer, disclosure and/or other processing of personal data, as well as certification requirements for the hosting of health data specifically. Such laws and regulations may include data hosting, data residency or data localization requirements (which generally require that certain types of data collected within a certain country be stored and processed within that country), data export restrictions, international transfer laws (which prohibit or impose conditions upon the transfer of such data from one country to another), or may require companies to implement privacy or data protection and security policies, enable users to access, correct and delete personal data stored or maintained by such companies, inform individuals of security breaches that affect their personal data or obtain individuals’ consent to use their personal data. For example, European legislators adopted the European Union’s General Data Protection Regulation (2016/679) (“GDPR”), which became effective on May 25, 2018, and are now in the process of finalizing the ePrivacy Regulation to replace the European ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC). The GDPR, supplemented by national laws and further implemented through binding guidance from the European Data Protection Board, imposes more stringent European Union data protection requirements and provides for significant penalties for noncompliance. Further, following the United Kingdom’s withdrawal from the European Economic Area (“EEA”) and the European Union (“EU”), and the expiry of the transition period, companies have to comply with both the GDPR and the GDPR as incorporated into United Kingdom (“UK”) national law (the “UK GDPR”), the latter regime having the ability to separately fine up to the greater of £17.5 million or 4% of global turnover. Our processing of large amounts of health data and other highly sensitive data (referred to as “special category data” in the GDPR/UK GDPR) exposes us to further compliance risk. We carry out data protection impact assessments (“DPIAs”) in connection with our high-risk processing activities and implement appropriate safeguards and mechanisms to ensure adequate protection of the personal data, in order to comply with GDPR/UK GDPR. Transfers of personal data between countries and regions we intend to operate in (e.g., the EU, the UK, the U.S. and Israel) are subject to stringent regulation under the GDPR/UK GDPR, and transfers of personal data out of the EEA/UK to third countries (that is, countries without an adequacy decision) must be made pursuant to a valid data transfer mechanism. Common mechanisms for transfers to third countries (including the U.S.) are the latest version of the EU’s Standard Contractual Clauses pursuant to Regulation (EU) 2016/679, introduced in 2021 (“SCCs”) and, for transfers out of the UK, the International Data Transfer Agreement (“IDTA”) or the UK Addendum to the SCCs. In addition to the use of a valid data transfer mechanism, transfer impact assessments must now be carried out in respect of planned transfers of personal data from the EEA/UK to third countries including the U.S., and failure to do so may expose us to further compliance risk. The EU has, however, adopted an adequacy decision in respect of Israel and transfers of personal data can therefore be made from the EEA/UK without the use of additional safeguards. Whilst the European Commission and the U.S. Department of Commerce had previously negotiated the EU-U.S. Privacy Shield (“Privacy Shield”), a self-certification mechanism for data transfers from the EEA to the U.S., the status of transfers of data from the EEA/UK to the U.S. is currently uncertain following the 2020 decision of the Court of Justice of the European Union (“CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (commonly known as “Schrems II”). Prior to the Schrems II ruling, a company that was self-certified could import personal data from the EEA, provided it abided by the terms of the Privacy Shield. In Schrems II, however, the CJEU struck down the Privacy Shield, effective immediately. A replacement for the Privacy Shield has not yet been finalized (although the EU and the U.S. have reached an agreement in principle for a Trans-Atlantic Data Privacy Framework) and transfers must now be carried out pursuant to a valid data transfer mechanism and accompanied by transfer impact assessments. Virtually every jurisdiction in which we expect to operate has established its own data security and privacy legal framework with which we must, and our target customers will need to, comply, including the rules and regulation mentioned above. We may also need to comply with varying and possibly conflicting privacy laws and regulations in other jurisdictions. As a result, we could face regulatory actions, including significant fines or penalties, adverse publicity and possible loss of business. While we are preparing to implement various measures intended to enable us to comply with applicable privacy or data protection laws, regulations and contractual obligations, these measures may not always be effective and do not guarantee compliance. Any failure or perceived failure by us to comply with our contractual or legal obligations or regulatory requirements relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability, cause our customers, partners or patients to lose trust in us, and otherwise materially and adversely affect our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers or partners may limit the adoption and use of, and reduce the overall demand for, our products and services. Additionally, if third parties we work with violate applicable laws, regulations, or agreements, such violations may put the data we have received at risk, could result in governmental investigations or enforcement actions, fines, litigation, claims, or public statements against us by consumer advocacy groups or others and could result in significant liability, cause our customers, partners or patients to lose trust in us, and otherwise materially and adversely affect our reputation and business. Further, public scrutiny of, or complaints about, technology companies or their data handling or data protection practices, even if unrelated to our business, industry or operations, may lead to increased scrutiny of technology companies, including us, and may cause government agencies to enact additional regulatory requirements, or to modify their enforcement or investigation activities, which may increase our costs and risks.

We expect that our business operations will enable us to accumulate a significant amount of highly sensitive and/or confidential information, including medical images and other medical and personal information. While employee contracts generally contain standard confidentiality provisions, our employees, customers or collaborators may not properly handle or process sensitive or confidential data. The improper handling of sensitive or confidential data, or even the perception of such mishandling (whether or not valid), or other security lapses by us, our customers or collaborators, could reduce demand for our offerings or otherwise expose us to financial or reputational harm or legal liability. In addition, any security breach, including personal data breaches, or incident, including cybersecurity incidents, that we experience could result in unauthorized access to, misuse of, or unauthorized acquisition of the sensitive or confidential information and data (including medical information), the loss, corruption, or alteration of this data, interruptions in our operations, or damage to our systems. Any such incidents could expose us to claims, litigation, regulatory or other governmental investigations, administrative fines and potential liability. An increasing number of digital platforms have disclosed breaches of their security, some of which have involved sophisticated and highly targeted attacks on portions of their services. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are not foreseeable or recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. If an actual or perceived breach of our security occurs, public perception of the effectiveness of our security measures and brand could be harmed and our results of operations could be negatively affected. Data security breaches and other incidents may also result from non-technical means (e.g., actions by employees or contractors). Any compromise of our security could result in a violation of applicable security, privacy or data protection, consumer and other laws, regulatory or other governmental investigations, enforcement actions, and legal and financial exposure, including potential contractual liability. Any such compromise could also result in damage to our reputation and a loss of confidence in our security and privacy or data protection measures. Any of these effects could materially and adversely affect our business, financial condition and results of operations.

Our products and services are in the medical imaging field and so may be subject to claims. We are not immune from product liability or other product claim risks, and we may not be able to maintain insurance on acceptable terms against such risks or that such insurance will be sufficient to protect us against potential claims or that insurance will be available in the future in amounts sufficient to protect us. A product liability claim, malpractice or other claim, as well as any claims for uninsured liabilities or in excess of insured liabilities, could have a material adverse effect on our business, financial condition, results of operations and prospects.

We expect to do business globally, including in North America and certain countries in Asia, Europe, Africa, Latin America and Australia. Commercialization of our X-ray source technology, the Nanox.ARC or the Nanox System in foreign markets, either directly or through third parties, is subject to additional risks and uncertainties, including: ? reimbursement and insurance coverage; ? our inability to find agencies, dealers or distributors in specific countries or regions; ? our inability to directly control commercial activities of third parties; ? limited resources to be deployed to a specific jurisdiction; ? the burden of complying with complex and changing regulatory, tax, accounting and legal requirements; ? different medical imaging practice and customs in foreign countries affecting acceptance in the marketplace; ? import or export licensing and other requirements; ? longer accounts receivable collection times; ? longer lead times for shipping; ? language barriers for technical training; ? reduced protection of intellectual property rights in some foreign countries; ? foreign currency exchange rate fluctuations; and ? interpretations of contractual provisions governed by foreign laws in the event of a contract dispute. Specifically, we are subject to the U.S. Foreign Corrupt Practices Act of 1977, as amended, the U.S. domestic bribery statute contained in 18 U.S.C. § 201, the U.S. Travel Act, the USA PATRIOT Act, the United Kingdom Bribery Act 2010, the Proceeds of Crime Act 2002, Chapter 9 (sub-chapter 5) of the Israeli Penal Law, 1977, the Israeli Prohibition on Money Laundering Law–2000 and possibly other anti-bribery and anti-money laundering laws in countries outside of the United States in which we conduct our activities. As we engage finders to obtain MSaaS agreements in certain countries, we and our finders may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, partners and agents, even if we do not explicitly authorize such activities. As we expand our international business, our risks under these laws may increase. We also may sell the Nanox.ARC, the Nanox.CLOUD or the Nanox System to government entities, which are subject to a number of challenges and risks. Any actual or perceived privacy, data protection, or data security incident, or even any perceived defect with regard to our practices or measures in these areas, may negatively impact public sector demand for our products. Government entities may also have statutory, contractual or other legal rights to terminate contracts with us for convenience or due to a default, and any such termination may adversely affect our future results of operations. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our subscriptions, a reduction of revenue, or fines or civil or criminal liability if the audit uncovers improper or illegal activities. In addition, sales of the Nanox.ARC, the Nanox.CLOUD or the Nanox System in foreign markets could also be adversely affected by the imposition of governmental controls, political and economic instability, war, conflicts, civil unrest and other hostilities, trade restrictions and changes in tariffs, any of which may adversely affect our business, financial condition, results of operations and prospects.

Public health crises such as pandemics or similar outbreaks could adversely impact our business. Beginning in 2019, a novel strain of a virus named SARS-CoV-2 (severe acute respiratory syndrome coronavirus 2), or coronavirus, which causes COVID-19, has spread to most countries across the world, including Israel and all 50 states within the U.S. The COVID-19 pandemic is evolving, and to date has led to the implementation of various responses, including government-imposed quarantines, travel restrictions and other public health safety measures. The COVID-19 pandemic has adversely impacted our operations in various ways. For example, due to travel restrictions as a result of the COVID-19 pandemic, our engineers had limited ability to make work-related trips to Korea or Israel to test and optimize the Nanox.ARC and to begin MEMs X-ray chip manufacturing in Korea. Our potential business partners also had limited ability to make on-site visits to our facilities or attend industry conferences and meetings in person to experience the Nanox.ARC, which has negatively impacted our business development and deployment activities. Due, in part, to travel restrictions as a result of the COVID-19 pandemic, we decided to manufacture the first Nanox.ARC units in Israel on a purchase order basis from Dagesh that we expect will be used for the acceptance tests under our MSaaS agreements, demonstrations, regulatory approvals and for the initial global deployment, among other purposes. The external labs we work with have been affected by COVID-19, resulting in delays in our timeline for obtaining regulatory clearance and approval. Our FDA and other regulatory approvals and clearances have been delayed due to prioritization of vaccines for COVID-19. COVID-19 has also caused shutdowns or disruptions of business for our manufacturers and suppliers. The extent to which the COVID-19 pandemic impacts our operations or those of our third-party partners will depend on future developments, which are highly uncertain and cannot be predicted with confidence, including the duration of the pandemic, new information that will emerge concerning the severity of the coronavirus and the actions to contain the coronavirus or treat its impact, further mutations or related variants of the virus (or even the threat or perception that this could occur), among others. In addition, if any treatment or vaccine for COVID-19 is ineffective or underutilized, any impact on our business may be prolonged. The continued spread of COVID-19 globally could adversely impact our development, manufacture or deployment of the Nanox System, which could adversely affect our ability to obtain regulatory clearance and approval for and to commercialize the Nanox System, increase our operating expenses and have a material adverse effect on our financial results. These and other factors arising from the COVID-19 pandemic could worsen in countries that are afflicted with the coronavirus. Any of these factors, and other factors related to any such disruptions that are unforeseen, could have a material adverse effect on our business and our results of operations and financial condition. Further, uncertainty around these and related issues could lead to adverse effects on the economy of the United States and other economies, which could impact our ability to raise the necessary capital needed to develop and commercialize the Nanox System.

The medical imaging industry is rapidly evolving and subject to intense and increasing competition. To compete successfully and to be able to establish and maintain a competitive position in current and future technologies, we will need to demonstrate the advantages of our technology over well-established alternative solutions, products and technologies, such as computed tomography (“CT”), as well as newer methods of medical imaging and early detection. We believe that effectively stimulating market interest for the Nanox System will require deploying 5,000 to 10,000 Nanox.ARC units. To achieve this, we will need to raise or develop financial resources, technical expertise, marketing, distribution or support capabilities and we may not be successful in doing so. Also, companies offering traditional medical imaging systems, such as General Electric, Siemens, Philips, Hologic, Varian, Fuji, Toshiba and Hitachi, may be better established in the market than we are, have greater corporate, financial, operational, sales and marketing resources than we do, or have more experience in research and development than we have. In particular, the field emission technology has been used by a wide range of leading market players in an attempt to create an alternative digital source of X-ray, the most well-known attempt being the use of carbon nano tubes as the base materials for a potential field emission-based solution. In addition, early-detection technologies developed by other companies, such as blood testing and DNA screening, may also reduce the attractiveness of our technology for early detection or render it obsolete. Successful developments of these or other technologies by competitors resulting in new approaches for medical imaging, including technologies, products or services that are more effective or commercially attractive, could make our technology less useful or obsolete. We may also face opposition from certain industry leaders, who may have political influence and the ability to delay deployment of the Nanox System in certain geographical areas. Furthermore, as the market expands, we expect the entry of additional competitors, such as cloud computing companies or leading IT companies, who may have longer operating histories, more extensive international operations, greater name recognition, and/or substantially greater technical, marketing and financial resources. Our competitive position also depends on our ability to: ? generate widespread awareness, acceptance and adoption of our technology and future products or services; ? develop new or enhanced technologies or features that improve the convenience, efficiency, safety or perceived safety, and productivity of our technology and future products or services; ? properly identify customer needs and deliver new products or services or product enhancements to address those needs; ? limit the time required from prototype development to commercial production; ? limit the timing and cost of regulatory approvals; ? attract and retain qualified personnel and collaborators; ? protect our inventions with patents or otherwise develop proprietary products and processes; and ? secure sufficient capital resources to expand both our continued research and development, and sales and marketing efforts. With respect to our AI imaging solutions, there are a number of companies that currently offer AI radiology solutions, such as Aidoc and VIZ.AI, which, to our knowledge, focus on life threatening and urgent cases. In addition, legacy healthcare technology companies are expected in the future to increase development efforts in the field of AI imaging solutions. For example, Siemens Healthineers has developed AI-Rad Companion, which provides automatic post-processing of imaging datasets through AI-powered algorithms for Siemens CTs. The AI medical imaging market is new and competition from new market players may develop in the next few years. With respect to our teleradiology services, the teleradiology market is highly competitive, rapidly evolving and fragmented, and is subject to changing technology and market dynamics. The market has recently experienced and is expected to continue to experience competitive pricing pressure and radiologist compensation pressure. We compete directly with both large and small-scale service providers who offer local, regional and national coverage operations. We believe that our principal competitors are Envision Physician Services and Radiology Partners. We compete to attract and retain relationships with customers and radiologists in different ways. If our technology is not, or our future products or services are not, competitive based on these or other factors, our business would be harmed.

There is a shortage of qualified radiologists in some of the regional markets that we serve. In addition, competition in recruiting radiologists may make it difficult for us to maintain adequate levels of radiologists. If a significant number of radiologists terminate their relationships with us and we cannot recruit sufficient qualified radiologists, our ability to generate revenue from teleradiology services and our financial results could be adversely affected.

Advertising and promotion of our future products that obtains approval in the United States may be heavily scrutinized by the FDA, the DOJ, HHS, state attorneys general, members of Congress, and the public. In addition, advertising and promotion of any future product that obtains approval outside of the United States will be heavily scrutinized by comparable foreign regulatory authorities. We expect that, if cleared or approved, our products, including the multi-source Nanox.ARC, will be cleared by the requisite regulatory authorities for specific indications. We expect to train our marketing personnel and direct sales force to not promote our devices for uses outside of the FDA-approved indications for use, known as “off-label uses.” We cannot, however, prevent a physician from using our devices off-label, when in the physician’s independent professional medical judgment he or she deems it appropriate. There may be increased risk of injury to patients if physicians attempt to use our devices off-label. Furthermore, the use of our devices for indications other than those approved by the FDA or approved by any foreign regulatory body may not effectively treat such conditions, which could harm our reputation in the marketplace among healthcare providers and patients. If the FDA or any state or foreign regulatory body determines that our promotional materials or training constitute promotion of an off-label use, it could request that we modify our training or promotional materials or subject us to regulatory or enforcement actions, including the issuance or imposition of an untitled letter, which is used for violators that do not necessitate a warning letter, injunction, seizure, civil fine or criminal penalties. It is also possible that other federal, state or foreign enforcement authorities might take action under other regulatory authority, such as false claims laws, if they consider our business activities to constitute promotion of an off-label use, which could result in significant penalties, including, but not limited to, criminal, civil and administrative penalties, damages, fines, disgorgement, exclusion from participation in government healthcare programs and the curtailment of our operations. We may become subject to such actions and, if we are not successful in defending against such actions, those actions may have a material adverse effect on our business, financial condition and results of operations. Equivalent laws and potential consequences exist in foreign jurisdictions. In addition, if our products are cleared or approved, healthcare providers may misuse our products or use improper techniques if they are not adequately trained, potentially leading to injury and an increased risk of product liability. If our devices are misused or used with improper technique, we may become subject to costly litigation by our customers or their patients. As described above, product liability claims could divert management’s attention from our core business, be expensive to defend and result in sizeable damage awards against us that may not be covered by insurance.