Oscar Health (OSCR) Risk Analysis

As part of our normal operations, we collect, receive, use, maintain, handle, transmit, process, and retain, which collectively in this risk factor we refer to as "Process" or "Processing," personal, medical, sensitive and other confidential information about individuals. We also depend on a number of third party vendors in relation to the operation of our business, a number of which process data on our behalf. We and our vendors are subject to various federal and state laws, regulations, rules, and industry standards and other requirements including those that apply generally to the handling of information about individuals, and those that are specific to certain industries, sectors, contexts, or locations. These laws and regulations include, among others, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (together "HIPAA"), the California Consumer Privacy Act of 2018 ("CCPA") and the California Privacy Rights Act of 2023 ("CPRA"). These requirements, and their application, interpretation and amendment are constantly evolving and developing. HIPAA imposes privacy, security and breach notification obligations on "covered entities," including certain healthcare providers, health plans and healthcare clearinghouses, and their respective "business associates" that Process individually identifiable health information for or on behalf of a covered entity, as well as their covered subcontractors with respect to safeguarding the privacy, security and transmission of individually identifiable health information. HIPAA requires covered entities and business associates to develop and maintain policies and procedures with respect to the protection of, use and disclosure of protected health information ("PHI"), and to implement administrative, physical, and technical safeguards to protect PHI, including PHI Processed in electronic form, and to adhere to certain notification requirements in the event of a breach of unsecured PHI. In order to comply with HIPAA's requirements, we must maintain adequate privacy and security measures, which require significant investments in resources and ongoing attention. Additionally, under HIPAA, health insurers and other covered entities are also required to report breaches of PHI to affected individuals without unreasonable delay, not to exceed 60 days following discovery of the breach by a covered entity or its agents. Notification also must be made to the HHS-Office for Civil Rights and prominent media outlets in any states where 500 or more people are impacted by the breach. A non-permitted use or disclosure of PHI is presumed to be a breach under HIPAA unless the covered entity establishes that there is a low probability the information has been compromised consistent with requirements enumerated in HIPAA. Ongoing review and oversight of these measures involves significant time, effort, and expense. Entities that are found to be in violation of HIPAA as the result of a breach of unsecured PHI or following a complaint about privacy practices or an audit by the HHS, may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. HIPAA also authorizes state Attorneys General to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. In addition, we are subject to the CCPA, which became effective as of January 1, 2020. The CCPA gives California residents expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA also provides for civil penalties for violations, as well as a private right of action for data breaches that may increase data breach litigation. Additionally, the CPRA became effective on January 1, 2023, and it imposed additional obligations on companies covered by the legislation and significantly modified the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information. The CPRA also created a new state agency that is vested with the authority to implement and enforce the CCPA and the CPRA. Compliance with the CCPA and the CPRA may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses and may increase our potential exposure to regulatory enforcement and/or litigation. The CCPA and CPRA contain exemptions to which our business is subject, such as for medical information governed by the California Confidentiality of Medical Information Act, and for PHI collected by a covered entity or business associate governed by the privacy, security, and breach notification rule established pursuant to HIPAA; however, information we hold about individual residents of California that is not subject to such exceptions (or another applicable exception) would be subject to the CCPA and CPRA. Certain other state laws also regulate issues related to consumer privacy, security and use of personal and medical information; additional states have enacted legislation similar to the CCPA and CPRA that provides consumers with new privacy rights and increases the privacy and security obligations of entities handling certain personal information of such consumers. For example, laws similar to the CCPA and CPRA have passed in Virginia, Connecticut, Texas, Utah, and Colorado, and have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. Such legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Further, in order to comply with the varying state laws around data breaches, we must maintain adequate security measures, which require significant investments in resources and ongoing attention. We are also subject to other laws, regulations and industry standards that govern our business practices, including the Telephone Consumer Protection Act ("TCPA"), which restricts the use of automated tools and technologies to communicate with wireless telephone subscribers or communications services consumers generally, the CAN-SPAM Act, which regulates the transmission of marketing emails, and the Payment Card Industry ("PCI") Data Security Standard, which is a multifaceted security standard that is designed to protect credit card account data as mandated by PCI entities. We may become subject to claims that we have violated these laws and standards, based on our or our vendors' past, present, or future Processing business practices, and these claims, whether or not they have merit, could expose us to substantial statutory damages or costly settlements, which could have a material and adverse impact on our business and reputation, subject us to fines and/or require us to change our business practices. The regulatory framework governing the Processing of certain information, particularly financial and other personal information, is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations, including in the context of artificial intelligence where regulators are applying existing frameworks to new technology and innovation. It is possible that these laws, regulations and standards may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our services and platform capabilities. We may face challenges in addressing current and evolving requirements and making necessary changes to our policies and practices, and may incur significant costs and expenses in our effort to do so. Any failure or perceived failure by us, or any third parties with which we do business, to comply with our posted privacy policies, changing consumer expectations, evolving laws, rules and regulations, industry standards, or contractual obligations to which we or such third parties are or may become subject, may result in actions or other claims against us by governmental entities or private actors, the expenditure of substantial costs, time and other resources or the incurrence of significant fines, penalties or other liabilities. If any of these events were to occur, our reputation, business, financial condition and results of operations could be materially adversely affected. As we expand our customer base and enter into +Oscar platform arrangements, we may become subject to an increasingly complex array of data privacy and security laws and regulations, further increasing our cost of compliance and doing business. Differing laws in each jurisdiction in which we do business and changes to existing laws and regulations may also impair our ability to offer our existing or planned features, products and services and increase our cost of doing business.

From time to time, we may be a defendant in lawsuits and the subject of regulatory actions, and are subject to audits, reviews, assessments and investigations relating to our business, including, without limitation, claims by members alleging failure to provide coverage or pay for or authorize payment for healthcare, claims related to non-payment or insufficient payments for services by providers, including for alleged failure to properly pay in-network and out-out-network claims, claims under U.S. securities laws, claims related to breach of contract, employment related claims, claims of trademark and other intellectual property infringement or misappropriation, claims alleging bad faith or unfair business practices, challenges to the manner in which the Company processes claims, claims relating to sales, marketing and other business practices, inquiries regarding our submission of risk adjustment data, enforcement actions by state regulatory bodies alleging non-compliance with state law, financial and market conduct examinations by state regulatory bodies, and claims related to the imposition of new taxes, including, but not limited to, claims that may have retroactive application. For example, on May 12, 2022, a securities class action lawsuit against the Company, certain of its directors and officers, and the underwriters that participated in the Company's initial public offering ("IPO") was commenced in the United States District Court for the Southern District of New York, captioned Carpenter v. Oscar Health, Inc., et al., Case No. 1:22-CV-03885 (S.D.N.Y.) (the "Securities Action"). The amended complaint, filed on December 6, 2022, primarily alleges that the Company failed to disclose in its IPO registration statement purportedly inadequate controls and systems in connection with the risk adjustment data validation audit for 2019, in violation of Sections 11 and 15 of the Securities Act, and that this alleged omission caused losses and damages for members of the putative class. The amended complaint seeks unspecified compensatory damages as well as interest, fees and costs. In addition, certain of the Company's health insurance subsidiaries have been or are currently undergoing review by state regulators, including for, among other matters, compliance with applicable laws and regulations and reviews of financial condition. We also may receive subpoenas and other requests for information from various federal and state agencies, regulatory authorities, state Attorneys General, committees, subcommittees, and members of the U.S. Congress and other state, federal, and international governmental authorities. Due to the inherent uncertainties of litigation and regulatory proceedings, we cannot accurately predict the ultimate outcome of any such proceedings. An unfavorable outcome could have a material adverse impact on our business and financial position, results of operations, and/or cash flows, and may affect our reputation and brand. In addition, regardless of the outcome of any litigation or regulatory proceedings, investigations, audits, or reviews, responding to such matters is costly and time consuming, and requires significant attention from our management, and could, therefore, harm our business and financial position, results of operations or cash flows. Insurance may not cover such claims, may not provide sufficient payments to cover all of the costs to resolve one or more such claims, and may result in our having to pay significant fines, judgments, or settlements, which, if uninsured, or if the fines, judgments, and settlements exceed insured levels, could adversely affect our results of operations and cash flows, thereby harming our business. The regulations and contractual requirements applicable to us and other market participants are complex and subject to change, making it necessary for us to invest significant resources in complying with our regulatory and contractual requirements. Ongoing vigorous legal enforcement and the highly technical regulatory scheme mean that our compliance efforts in this area will continue to require significant resources, and we may not always be successful in ensuring appropriate compliance by our employees, consultants, or vendors, for whose compliance or lack thereof we may be held responsible and liable. Regulatory audits, investigations, and reviews could result in significant or material changes to our business practices, including increased capital requirements, and also could result in significant or material premium refunds, fines, penalties, civil liabilities, criminal liabilities, or other sanctions, including marketing and enrollment sanctions, suspension or exclusion from participation in government programs, imposition of heightened monitoring by our federal or state regulators, and suspension or loss of licensure if we are determined to be in violation of applicable laws or regulations. Any of these audits, reviews, or investigations could have a material adverse effect on our financial position, results of operations, or business, or could result in significant liabilities and negative publicity for the Company.

Our profitability depends, in large part, upon our ability to contract at competitive prices with hospitals, physicians, and other healthcare providers, such that we can provide our members with access to competitive provider networks at affordable prices. Our arrangements with healthcare providers generally may be terminated or not renewed by either party without cause upon prior written notice. If a provider agreement were terminated, such termination could adversely impact the breadth of our network to service our members, and may put us at risk of non-compliance with applicable federal and state network adequacy laws. We cannot provide any assurance that we will be able to renew our existing contracts or enter into new contracts on a timely basis or under favorable reimbursement rates and terms enabling us to service our members profitably in the future. Healthcare providers within our provider networks may not properly manage the costs of services, maintain financial solvency or avoid disputes with other providers or their federal and state regulators. Any of these events could have a material adverse effect on the provision of services to our members and our operations. In any particular market or geography, physicians and other healthcare providers could refuse to contract, demand higher payments, demand favorable contract terms, or take other actions that could result in higher medical costs or difficulty in meeting regulatory or accreditation requirements, among other things. In some markets and geographies, certain healthcare providers, particularly hospitals, physician/hospital organizations, or multi-specialty physician groups, may have significant positions or near monopolies that could result in diminished bargaining power on our part during contract negotiations. In addition, physicians, hospitals and other healthcare providers may, consolidate or merge, or form or enter into accountable care organizations, clinically integrated networks, independent practice associations, practice management companies (which aggregate physician practices for administrative efficiency and marketing leverage), and other organizational structures, which may adversely impact our relationships with these providers or affect the way that we price our products and estimate our costs. Any such impacts might require us to incur costs to change our operations, place us at a competitive disadvantage, or materially and adversely affect our ability to market affordable products or to be profitable in those areas. The insolvency of one of our partners or providers, including providers with which we have a value-based care arrangement, could expose us to material liabilities. Providers may be unable or unwilling to pay liabilities owed to us under value-based care arrangements. Providers may also be unable or unwilling to pay claims they have incurred with third party providers in connection with referral services provided to our members. Depending on state law, we may be held liable for such unpaid referral claims even though the delegated provider has contractually assumed such risk, or we may opt to pay such claims even when we have no obligation to do so due to competitive pressures. Such liabilities incurred or losses suffered as a result of provider insolvency or other circumstances could have a material adverse effect on our business, financial condition, cash flows, or results of operations. In addition, from time to time, we are, and may in the future continue to be, subject to class action or other lawsuits by healthcare providers with respect to claims payment procedures, including the rate at which claims were reimbursed, reimbursement policies, network participation, or breach of contract allegations or similar matters. Regardless of whether any such lawsuits brought against us are successful or have merit, they will be time-consuming and costly, and could have an adverse impact on our reputation. As a result, under such circumstances, we may be unable to operate our business effectively. Some providers that render services to our members are not contracted with our health insurance subsidiaries. While our health insurance subsidiaries are required to meet various federal and state requirements regarding the size and composition of our participating provider networks, we generally contract with a select subset of, and not all, systems and providers in a given area. This allows us to work more closely with high quality healthcare systems that engage with us using our technology. That approach, however, makes it possible that our members will receive emergency services, or other services which we are required to cover by law or by the terms of our health plans, from providers who are not contracted with our health insurance subsidiaries. In those cases, there is no pre-established contractual understanding between the provider and our health insurance subsidiary about the amount of compensation that is due to the provider. In some states, and under federal law for our business subject to the No Surprises Act, the amount of compensation and/or process to dispute out-of-network reimbursement amounts is defined by law or regulation. In certain situations, our health insurance subsidiaries are required to hold our members harmless for out-of-network costs, and to work directly with healthcare providers within the confines of state law or the No Surprises Act's dispute resolution process to agree on reimbursement. Reimbursement for these out-of-network costs can be significant. It is difficult to predict the amount we may have to pay to out-of-network providers. The uncertainty of the amount to pay to such providers and the possibility of subsequent adjustment of the payment could materially and adversely affect our business, financial condition, cash flows, or results of operations. Additionally, substantially all of our revenue depends on the direct policy premiums we collect from members or from the federal government on behalf of our members who obtain healthcare services from a limited number of providers with whom we contract. We generally manage our provider contracts on a state-by-state basis, entering into separate contracts in each state with local affiliates of a particular provider, such that no one local provider contract receives a majority of our allowed medical costs for services rendered to our members. When aggregating the payments we make to each provider through its local affiliates, AdventHealth, HCA Healthcare and University of Miami Hospital & Medical Group accounted for a total of approximately 15%, 9% and 9%, respectively, of total allowable medical costs for the three months ended December 31, 2023, and approximately 14%, 9% and 8%, respectively, of total allowable medical costs for the year ended December 31, 2023. Advent Health, HCA Healthcare, and Atlantic Coast Health Network ("ACHN") accounted for approximately 15%, 10% and 6%, respectively, of total allowable medical costs for the year ended December 31, 2022. We believe that a majority of our revenue will continue to be derived from direct policy premiums obtained from members who receive services from a concentrated number of providers. These providers may terminate or seek to terminate their contracts with us in the future. The sudden loss of any of our providers or the renegotiation of related provider contracts could adversely impact our reputation or the breadth of access and perceived quality of our provider networks, which could result in a loss of a membership that adversely affects our revenue and operating results.

We currently derive substantially all of our revenue from direct policy premiums and recognize premium revenue over the period that coverage is effective. There can be no assurance that we will receive premiums in advance of or by the end of a given coverage period. Moreover, actions taken by state and federal governments could increase the likelihood of delay in our receipt of premiums. For example, in early responses to the COVID-19 pandemic, state insurance departments, including in states in which we operate, issued guidelines, recommendations, and moratoria around policy cancellations and non-renewals due to non-payment. While none of such state or federal required or recommended moratoria carried over into 2023, if such or similar measures were to be reintroduced and to remain in place for an extended period due to a resurgence of COVID-19 or for other reasons, including unanticipated public health or economic crises, our receipt of premiums, if any, could be significantly delayed, which could have a material adverse effect on our business, operations, cash flows, or earnings. Payments from government payors may be delayed in the future, which, if extended for any significant period of time, could have a material adverse effect on our results of operations, financial condition, cash flows or liquidity. In addition, delays in obtaining, or failure to obtain or maintain, governmental approvals, or moratoria imposed by regulatory authorities, could adversely affect our revenues or membership, increase costs or adversely affect our ability to bring new products to market as forecasted. Other changes to our government programs could affect our willingness or ability to participate in any of these programs or otherwise have a material adverse effect on our business, operations, cash flows, or earnings.

Our competitors, as well as a number of other entities and individuals, including so-called non-practicing entities, may own or claim to own intellectual property relating to or covering the operation of our business. From time to time, third parties may claim that we are infringing upon their intellectual property rights or that we have misappropriated their intellectual property. We may be unaware of the intellectual property rights that others may claim cover some or all of our technology or services. Because patent applications can take years to issue and are often afforded confidentiality for some period of time there may currently be pending applications, unknown to us, that later result in issued patents that could cover one or more aspects of our technology and business. Third parties may assert claims that we or our business partners or clients infringe or misappropriate their intellectual property rights and these claims, with or without merit, could be expensive to litigate, cause us to incur substantial costs and divert management resources and attention in defending the claim. In addition, we may be required to license additional technology from third parties to develop and market new offerings or platform features, which may not be available on commercially reasonable terms, or at all, and could adversely affect our ability to compete or require us to rebrand or otherwise modify our offerings, which could further exhaust our resources. Furthermore, certain contracts with our business partners contain provisions whereby we indemnify, subject to certain limitations, the counterparty for damages suffered as a result of claims related to intellectual property infringement. Claims made under these provisions could be expensive to litigate and could result in significant payments. Even if we were to prevail in such a dispute, any litigation regarding our intellectual property could be costly and time-consuming and divert the attention of our management and key personnel from our business operations.

Our business currently utilizes artificial intelligence and machine learning technologies offered by third parties to drive efficiencies in our business, including by deploying use cases that are designed to streamline administrative processes, enhance decision making capabilities and improve the experience for our members and providers. We expect to continue utilizing these technologies in the future. As with many technological innovations, artificial intelligence presents risks and challenges that could affect its adoption, and therefore our business and reputation. If these artificial intelligence or machine learning models are incorrectly designed, the performance of our products, services, and business, as well as our reputation, could suffer or we could incur liability through the violation of laws, or contracts to which we are a party. Additionally, we are making, and plan to make in the future, investments in adopting artificial intelligence and machine learning technologies across our business, including our plan to integrate large language models across our technology stack. Artificial intelligence and machine learning technologies are complex and rapidly evolving, and we face significant competition from other companies in our industry as well as an evolving regulatory landscape. These efforts, including the introduction of new products or changes to existing products, may result in new or enhanced governmental or regulatory scrutiny, litigation, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results. Changes to existing regulations, their interpretation or implementation or new regulations could impede our use of artificial intelligence and machine learning technology and also may increase the burden and cost of research and development in this area. In addition, market acceptance of artificial intelligence and machine learning technologies is uncertain, and we may be unsuccessful in our product development efforts or suffer reputational harm. Any of these factors could adversely affect our business, financial condition, and results of operations.