Orasure Technologies (OSUR) Risk Analysis

The Company may be held liable if any of its products, or any product which is made with the use or incorporation of any of its technologies, causes injury of any type or is found otherwise unsuitable during product testing, manufacturing, marketing, sale or usage. There is no assurance that the Company would be successful in defending any product liability lawsuits brought against it. Moreover, there is no assurance that the Company's products will not be included in unethical, illegal or inappropriate research or applications, which may in turn put the Company at risk of litigation. Regardless of merit or eventual outcome, product liability claims could result in: - Decreased demand for the Company's products;- Lost revenues;- Damage to the Company's image or reputation;- Costs related to litigation;- Increased product liability insurance costs;- Diversion of management time and attention; and - Incurrence of damages payable to plaintiffs. The Company is selling the InteliSwab COVID-19 Rapid Test and the OraQuick In-Home HIV test in the United States OTC market, and it offers HIV Self-Tests to consumers internationally. The Company believes the sale of products for use by consumers increases its potential exposure to product liability and other claims.

A portion of our revenues is derived from sales to customers that rely on funding from the U.S. government, including federal agencies, state programs, and entities receiving grants and contracts from the HHS, the U.S. Agency for International Development ("USAID"), the Centers for Disease Control and Prevention ("CDC"), and other government programs. Any reduction, delay, or uncertainty in the availability of such funding could adversely affect the purchasing patterns of these customers, impacting our business, financial condition, and results of operations. In recent months, the U.S. government has implemented funding freezes and delays that have directly affected healthcare and life sciences procurement. For example, on January 22, 2025, the Office of Management and Budget ("OMB") issued a directive halting the disbursement of certain federal funds, pending review of budgetary priorities. Similarly, on February 10, 2025, the U.S. Department of State and USAID announced a 90-day suspension of new foreign assistance obligations, affecting global health initiatives and domestic procurement of essential healthcare supplies. Customers that rely on these funding sources may reduce, delay, or cancel orders for our products and services, particularly during periods of political uncertainty. If our customers experience prolonged funding uncertainty or reductions in available government funds, we could face disruptions in our revenue streams, increased inventory costs due to unpredictable ordering patterns, and potential declines in profitability. While we actively monitor legislative and regulatory developments, we cannot predict the outcome of government policy shifts that may impact our customers' ability to procure our products.

The Company is subject to European data protection regulations where it collects and uses personal data related to Europe. This includes the EU General Data Protection Regulation ("EU GDPR") as well as other national data protection legislation in force in relevant European Economic Area ("EEA") member states, and the EU GDPR in such form as incorporated into the laws of the UK ("UK GDPR", together with EU GDPR, "GDPR"), which govern the collection, use, storage, disclosure, transfer, or other processing of personal data: (i) regarding individuals in the EEA; and/or (ii) carried out in the context of the activities of the Company's establishment in any EEA member state. Failure to comply with the GDPR, and any supplemental European Economic Area ("EEA") country's national data protection laws which may apply by virtue of the location of the individuals whose personal data the Company collects, may result in fines and other administrative penalties, including fines of up to the greater of 4% of worldwide turnover and €20 million (or £17.5 million in the UK). The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. The GDPR imposes several mandatory requirements on companies that process personal data, including requirements relating to the processing of special category personal data (such as health sensitive data), ensuring a legal basis or condition applies to the processing of personal data, which may include obtaining the consent of the individuals to whom the personal data relates, providing notice to individuals about personal data processing activities, having data processing agreements with third parties who process personal data, notification of personal data breaches to data protection authorities and individuals, and the implementing of safeguards to protect the security and confidentiality of the personal data. The GDPR also imposes strict rules on the transfer of personal data out of the EEA to third countries, including the United States in certain circumstances, unless a derogation exists or a valid GDPR transfer mechanism (for example, the European Commission approved Standard Contractual Clauses, or SCCs, or the EU-US Data Privacy Framework) applies. Any inability to transfer personal data from the EEA to the United States in compliance with data protection laws may impede the Company's ability to conduct trials and may adversely affect its business and financial position. Complying with the enhanced obligations imposed by the GDPR imposes additional obligations and risk upon the Company's business, and may result in significant costs to its business and require it to amend certain of its business practices. Further, the Company has no assurances that violations will not occur, particularly given the complexity of the GDPR. In the U.S., there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including health information privacy laws, security breach notification laws and consumer protection laws. Each of these laws is subject to varying interpretations and is constantly evolving. By way of example, HIPAA imposes privacy and security requirements and breach reporting obligations with respect to individually identifiable health information upon "covered entities" (health plans, health care clearinghouses and certain health care providers), and their respective business associates (individuals or entities that create, received, maintain or transmit protected health information in connection with providing a service for or on behalf of a covered entity). Entities that are found to be in violation of HIPAA may be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations. Even when HIPAA does not apply, failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act (the FTCA), 15 U.S.C § 45(a). The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. Regulators and legislators in the U.S. are increasingly scrutinizing and restricting certain personal data transfers and transactions involving foreign countries. For example, the Biden Administration's executive order Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern as implemented by Department of Justice regulations issued in December 2024, prohibits data brokerage transactions involving certain sensitive personal data categories, including health data, genetic data, and biospecimens, to countries of concern, including China. The regulations also restrict certain investment agreements, employment agreements and vendor agreements involving such data and countries of concern, absent specified cybersecurity controls. Actual or alleged violations of these regulations may be punishable by criminal and/or civil sanctions, and may result in exclusion from participation in federal and state programs. The Company is also subject to the California Consumer Privacy Act ("CCPA"), which creates individual privacy rights and places stringent privacy and security obligations on businesses covered by the law, including obligations to provide detailed disclosures to California consumers about their data collection, use and sharing practices and provide such consumers with ways to opt out of certain uses of sensitive personal information, including health information. It also provides for civil penalties for violations and allows for a private right of action for data breaches that is expected to increase data breach litigation. The law also created a new state regulatory agency that was vested with authority to implement and enforce the CCPA. Failure to comply with the CCPA or other data processing or security laws, or any changes in these laws, could adversely impact the Company's business and its business plans. Similar laws have been passed and proposed in other states and at the federal level, and if passed, such laws may have potentially conflicting requirements that would make compliance challenging.In addition to these comprehensive consumer privacy laws and proposals, a number of other states have passed or proposed more limited privacy laws that focus on specific privacy issues such as biometric data and the privacy of health and medical information, such as Washington state's My Health My Data Act, which went into effect in March 2024. In addition to privacy and data security laws, we may be contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We are also bound by other contractual obligations related to privacy and data security, and our efforts to comply with such obligations may not be successful. We publish privacy policies, and we may publish marketing materials, and other statements, such as compliance with certain certifications or self-regulatory principles, regarding privacy and data security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. We are subject to laws and regulations that govern sending marketing and advertising by electronic means, such as email and telephone. For example, in the United States, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the "CAN-SPAM Act"), among other things, obligates the sender of commercial emails to provide recipients with the ability to opt out of receiving future commercial emails from the sender. In addition, the Telephone Consumer Protection Act (the "TCPA") imposes certain notice, consent, and opt-out obligations on companies that send telephone or text communications using automatic telephone dialing systems, or artificial or prerecorded voice to consumers, and provides consumers with private rights of action for violations. The FCC and the FTC have responsibility for regulating various aspects of these laws. Among other requirements, the TCPA requires us to obtain prior express written consent for certain telemarketing calls. Many states have similar consumer protection laws regulating telemarketing. These laws limit our ability to communicate with potential customers and reduce the effectiveness of our marketing programs. For violations of the TCPA, the law provides for a private right of action under which a plaintiff may recover monetary damages of $500 for each call or text made in violation of the prohibitions on calls made using an "artificial or pre-recorded voice" or an automatic telephone dialing system. Various state law equivalents of the TCPA may also provide for monetary damages in amounts greater than those provided for under the TCPA. An action may be brought by the FCC, a state attorney general, an individual, or a class of individuals. If in the future we are found to have violated the TCPA, or a state law equivalent, the amount of damages and potential liability could be extensive and adversely impact our business. Accordingly, were such a class certified or if we are unable to successfully defend such a suit, then TCPA or other state law damages could have a material adverse effect on our results of operations and financial condition.