The U.S. Office of Civil Rights may impose penalties on us if we do not fully comply with requirements of HIPAA. Penalties will vary significantly depending on factors such as whether we knew or should have known of the failure to comply, or whether our failure to comply was due to willful neglect. These penalties include civil monetary penalties of $100 to $50,000 per violation, up to an annual cap of $1,500,000 for identical violations. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA may face a criminal penalty of up to $50,000 per violation and up to one-year imprisonment. The criminal penalties increase to $100,000 per violation and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 per violation and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm. The U.S. Department of Justice is responsible for criminal prosecutions under HIPAA. Furthermore, in the event of a breach as defined by HIPAA, we have specific reporting requirements to the Office of Civil Rights under the HIPAA regulations as well as to affected individuals, and we may also have additional reporting requirements to other state and federal regulators, including the Federal Trade Commission, and/or to the media. Issuing such notifications can be costly, time and resource intensive, and can generate significant negative publicity. Breaches of HIPAA may also constitute contractual violations, and such contractual violations or any other contractual violations relating to a security breach or incident, could lead to claims, damages, legal proceedings, and contractual damages, other liability or terminations. In addition, the interpretation and application of consumer, healthcare privacy, data protection and cybersecurity laws in the United States, Europe and elsewhere are often uncertain, contradictory and in flux. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices. If so, this could result in claims, proceedings, damages, and liabilities, including government-imposed fines, and orders requiring that we change our practices, which could adversely affect our business. In addition, these laws and regulations vary between states, country and other jurisdictions, and may vary based on whether services or operations are performed in the jurisdiction. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices and compliance procedures in a manner adverse to our business. We rely on Internet infrastructure, bandwidth providers, data center providers, other third parties and our own systems for providing services to our users, and any failure or interruption in the services provided by these third parties or our own systems could expose us to litigation and negatively impact our relationships with customers, adversely affecting our brand and our business. Our ability to deliver our Internet-based services is dependent on the development and maintenance of the infrastructure of the Internet and other telecommunications services by third parties, including bandwidth and telecommunications equipment providers. This includes maintenance of a reliable network connection with the necessary speed, data capacity and security for providing reliable Internet access and services. We exercise limited control over these third-party providers. As a result, our information systems require an ongoing commitment of significant resources to maintain and enhance existing systems and develop new systems in order to keep pace with continuing changes in IT, emerging cybersecurity risks and threats, evolving industry and regulatory standards and changing preferences of our customers. Our services are designed to operate without perceptible interruption in accordance with our service level commitments. We have, however, experienced limited interruptions in these services in the past, and we expect that we will in the future experience interruptions and delays in services and availability from time to time. We rely on internal systems as well as thirdparty vendors, including data center providers and bandwidth providers, to provide our services. We store, process and transport petabytes of data and the nature of our business requires us to scale our storage capacity. In the event we are unable to scale appropriately, we may lose customers or fail to realize the network effects of our system and our business may be impaired. We do not currently maintain redundant systems or facilities for some of these services. Our operations and facilities are vulnerable to interruption and/or damage from a number of sources, many of which are beyond our control, including, without limitation: power loss and telecommunications failures; fire, flood, hurricane, tornado and other natural disasters; software and hardware errors, failures or crashes; and cyber and ransomware attacks, computer viruses, hacking, break-ins, sabotage, intentional acts of vandalism and other similar disruptive problems. The occurrence of any of these events could result in interruptions, delays or cessations in service to users of our services, which could impair or prohibit our ability to provide our services, reduce the attractiveness of our services to our customers and could have a material adverse impact on our business, results of operations or financial condition. If user access to our services is interrupted because of problems in our operations, we could be in breach of our agreements with customers and/or exposed to significant claims, particularly if the access interruption is associated with problems in the timely delivery of medical care. In the event of a catastrophic event with respect to one or more of these systems or facilities, we may experience an extended period of system unavailability, which could result in substantial cost to remedy such unavailability and negatively impact our relationship with our customers and our business. To operate without interruption, both we and our service providers must guard against: • damage from fire, power loss and other natural disasters; • communications failures; • software and hardware errors, failures and crashes; • security breaches, computer viruses and similar disruptive problems; and • other potential interruptions. - 33 -
RkJQdWJsaXNoZXIy NTIzOTM0