In addition, a significant number of our customer agreements allow our customers to terminate such agreements for convenience at certain times, typically with one to three months advance notice. Any cancellations of such agreements would have a negative result on our business and results of operations. If any new applications and services we may develop or acquire in the future are not adopted by our customers, or if we fail to continue to innovate and develop or acquire new applications and services that are adopted by customers, then our revenue and operating results will be adversely affected. In addition to past investments made in NantHealth solutions, and component systems infrastructure and platforms, we have invested, and will continue to invest, significant resources in research and development and in acquisitions to enhance our existing offerings and introduce new high-quality applications and services. If existing customers are not willing to make additional payments for such new applications or services, or if new customers do not value such new applications or services, our business and operating results will be harmed. If we are unable to predict user preferences or our industry changes, or if we are unable to modify our offering and services on a timely basis, we might lose customers. Our operating results would also suffer if our innovations and acquisitions are not responsive to the needs of our customers, are not appropriately timed with market opportunity or are not effectively brought to market. Security breaches and incidents, loss of data and other disruptions could compromise sensitive information related to our business and/or protected health information or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation. In the ordinary course of our business, we and our customers, consultants, contractors and business associates collect and store petabytes of sensitive data, including legally protected health information, personally identifiable information, intellectual property and proprietary business information owned or controlled by ourselves or our customers, payers, providers and partners. We manage and maintain our applications and data by utilizing a combination of on-site systems, managed data center systems, and cloud-based data center systems. These applications and data encompass a wide variety of business-critical information, including research and development information, commercial information and business and financial information. We face four primary risks relative to protecting this critical information, including loss of access risk, inappropriate disclosure risk, inappropriate modification risk and the risk of being unable to adequately monitor our controls over the first three risks. The secure processing, storage, maintenance and transmission of this critical information is vital to our operations and business strategy, and we devote significant resources to protecting such information. Although we take measures to protect sensitive information from unauthorized access or disclosure, our information technology and infrastructure, and that of our thirdparty billing and collections provider and other third parties that maintain or otherwise process such information for us, may be vulnerable to attacks by hackers or viruses or breached or otherwise subject to security incidents due to employee error, malfeasance or other events. Any such breach or incident could result in a disruption or interruption to, or compromise, our networks and systems or those of our third-party service providers or partners, and the information stored or otherwise processed there could be publicly disclosed, accessed, rendered unavailable, used, modified, disclosed or otherwise processed without authorization, lost or stolen. Any such event, or the perception that any such event has occurred, could result in legal claims or proceedings (including regulatory investigations and enforcement actions), liability under laws that protect the privacy of personal information, such as the Health Insurance Portability and Accountability Act (“HIPAA”) and regulatory penalties. Although we have implemented security measures and a formal, dedicated enterprise security program in an effort to prevent unauthorized access to patient data, there is no guarantee we can continue to protect our online portal or will be able to protect our mobile applications from breach. Unauthorized access to, or unavailability, loss or dissemination of data, or unauthorized access to, interruptions or other disruptions to systems, whether maintained by us or by third parties performing services for us, could also disrupt our operations, including our ability to conduct our analyses, bill payers, providers or patients, process claims and appeals, provide customer assistance services, conduct research and development activities, collect, process and prepare company financial information, provide information about our products and other patient and physician education and outreach efforts through our website, manage the administrative aspects of our business and damage our reputation, any of which could adversely affect our business. Additionally, ransomware attacks, including these from organized criminal threat actors, nation-states and nation-state supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions, delays, or outages in our operations, disruptions in our services, loss or unavailability of data, loss of income, significant extra expense to restore data or systems, reputational loss and the diversion of funds. To alleviate the financial, operational and reputational impact of a ransomware attack, it may be preferable to make extortion payments, but we may be unwilling or unable to do so (including, for example, if applicable laws or regulations prohibit such payments). - 32 -
RkJQdWJsaXNoZXIy NTIzOTM0