Centene Corporation: 10-K Risk Factor Changes

From time to time, we are a defendant in lawsuits and regulatory actions and are subject to investigations relating to our business, including, without limitation, medical malpractice claims; claims by members and providers alleging failure to timely and accurately pay for or provide healthcare; claims related to non-payment or insufficient payments for out-of-network services; claims related to provider directory accuracy, claims related to network adequacy; claims alleging bad faith; compliance with CMS Medicare and Marketplace regulations, including risk adjustment and broker compensation; claims related to the False Claims Act, the calculation of minimum MLR and rebates related thereto; claims related to privacy, intellectual property and vendor disputes; investigations regarding our submission of risk adjuster claims; putative securities class actions; protests and appeals related to Medicaid procurement awards; cybersecurity issues, including those related to our or our third-party vendors' information systems; employment-related disputes, including wage and hour claims; submissions to state agencies related to payments or state false claims acts, preauthorization penalties, timely review of grievance and appeals; and claims related to the imposition of new taxes, including but not limited to claims that may have retroactive application. Although we maintain some third-party insurance coverage, including excess liability insurance with third-party insurance carriers, certain liabilities or types of damages, such as punitive damages, may not be covered by insurance, insurers may dispute coverage or the amount of insurance may be insufficient to cover the entire damages awarded. In addition, regardless of the outcome of any litigation or regulatory proceedings, such proceedings are costly and time-consuming and require significant attention from our management and could therefore have a material adverse effect on our business and financial condition, results of operations or cash flows.

From time to time, we are a defendant in lawsuits and regulatory actions and are subject to investigations relating to our business, including, without limitation, medical malpractice claims; claims by members and providers alleging failure to timely and accurately pay for or provide healthcare; claims related to non-payment or insufficient payments for out-of-network services; claims related to network adequacy; claims alleging bad faith; compliance with CMS Medicare and Marketplace regulations, including risk adjustment and broker compensation; claims related to the False Claims Act, the calculation of minimum MLR and rebates related thereto, claims related to privacy, intellectual property and vendor disputes; investigations regarding our submission of risk adjuster claims; putative securities class actions; protests and appeals related to Medicaid procurement awards; cybersecurity issues, including those related to our or our third-party vendors' information systems; employment-related disputes, including wage and hour claims; submissions to state agencies related to payments or state false claims acts, preauthorization penalties, timely review of grievance and appeals; and claims related to the imposition of new taxes, including but not limited to claims that may have retroactive application. For example, several states have made claims related to services previously provided by Envolve, which historically provided PBM and specialty pharmacy services, including among other things, (i) claims seeking payment for services already reimbursed, (ii) claims alleging the failure to accurately disclose the true cost of the PBM services and (iii) claims alleging inflation of dispensing fees for prescription drugs. For additional information, see Note 17. Contingencies to the consolidated financial statements included in Part II of this Annual Report on Form 10-K. Additional claims, reviews or investigations may be brought by other states, the federal government or shareholder litigants, and there is no guarantee we will have the ability to settle such claims with other states within the reserve estimate we have recorded, on other acceptable terms, or at all. Although we maintain some third-party insurance coverage, including excess liability insurance with third-party insurance carriers, certain liabilities or types of damages, such as punitive damages, may not be covered by insurance, insurers may dispute coverage or the amount of insurance may be insufficient to cover the entire damages awarded. In addition, regardless of the outcome of any litigation or regulatory proceedings, such proceedings are costly and time-consuming and require significant attention from our management and could therefore have a material adverse effect on our business and financial condition, results of operations or cash flows. 31 31 31 Table of Contents Table of Contents

If we fail to design and maintain programs that are attractive to Medicare participants; if our Medicare operations are subject to negative outcomes from program audits, sanctions, penalties or other actions; if we do not submit adequate bids in our existing markets or any expansion markets; if our existing contracts are modified or terminated; or if we fail to maintain or improve our quality Star ratings, our current Medicare business and our ability to expand our Medicare operations could be materially and adversely affected, negatively impacting our results of operations and financial performance. As of December 2024, approximately 55% of our Medicare Advantage membership was associated with contracts rated 3.5 stars or better. Our quality improvement goal is to move 85% of our members into contracts with 3.5 stars or better for rating year 2026 (anticipated to be published in October 2025), which may not be achieved. Additionally, although we expect to have a higher percentage of D-SNP members than most of our competitors, we may be unsuccessful in advocating for adjustments in the Star score rating system or other risk adjustment criteria to reflect the socio-economic barriers to health for this population. Star ratings are subject to change annually by CMS, and despite our operational efforts to improve our Star ratings, there can be no assurances that we will be successful in maintaining or improving our Star ratings in future years, which could negatively impact our quality bonus and rebates. In addition, our Medicare Advantage and PDP contracts may be terminated by CMS if our Medicare Advantage contracts receive Star ratings of below 3.0 stars for three consecutive years. For example, two of our Medicare Advantage contracts received notice of termination for plan year 2025. The attractiveness of our Medicare Advantage plans may be reduced if we are unable to maintain or improve these ratings, if there are changes to the ratings system that make achieving and maintaining ratings of 3.0 stars or higher more difficult, or if our performance does not improve compared to our competitors. 19 19 19 Table of Contents Table of Contents CMS establishes annually different pricing components of the Medicare Advantage program that may not adequately reflect changes in the underlying health care costs, and which may reduce the profitability or desirability of various Medicare Advantage plans. For calendar year 2025, CMS again applied a negative rate adjustment for risk model revisions and fee for service normalization. As a result of the Medicare Advantage 2025 rates and our 2025 Medicare Advantage bid design and membership projections, we have established a premium deficiency reserve in connection with the 2025 Medicare Advantage business as of December 31, 2024. In addition, CMS' new risk model may not account for the full severity of several chronic conditions, which could also disproportionately affect the dual-eligible population which is more medically complex and faces additional socio-economic barriers to health compared to others. As a result of these changes and potential future changes to Medicare Advantage pricing components, we may not be able to design products that will be profitable, attractive or competitive for this population. In addition, CMS regulations will require beneficiaries dually enrolled in Medicare and in a Medicaid managed care plan to receive integrated care through the Medicaid company's Medicare Advantage D-SNPs beginning in 2030, with certain restrictions beginning in 2027, which may restrict our product offerings in some geographic service areas. However, some states have already moved or are planning to exclusively align dual-eligible enrollment under an aligned D-SNP before this timeframe. There are also specific additional risks under Title XVIII, Part D of the Social Security Act associated with our provision of Medicare Part D prescription drug benefits as part of our Medicare Advantage plan offerings. These risks include potential uncollectibility of receivables, inadequacy of pricing assumptions, inability to receive and process information and increased pharmaceutical costs, as well as the underlying seasonality of this business, and extended settlement periods for claims submissions. Our failure to comply with Part D program requirements can result in financial and/or operational sanctions on our Part D products, as well as on our Medicare Advantage products that offer no prescription drug coverage.

If we fail to design and maintain programs that are attractive to Medicare participants; if our Medicare operations are subject to negative outcomes from program audits, sanctions, penalties or other actions; if we do not submit adequate bids in our existing markets or any expansion markets; if our existing contracts are modified or terminated; or if we fail to maintain or improve our quality Star ratings, our current Medicare business and our ability to expand our Medicare operations could be materially and adversely affected, negatively impacting our results of operations and financial performance. As of October 2023, approximately 87% of membership was associated with contracts rated 3.0 stars or better. Our quality improvement goal is to move 85% of our members into contracts with 3.5 stars or better for rating year 2026 (anticipated to be published in October 2025), which may not be achieved. Additionally, although we expect to have a higher percentage of D-SNP members than most of our competitors, we may be unsuccessful in advocating for adjustments in the Star score rating system or other risk adjustment criteria to reflect the socio-economic barriers to health for this population. Despite our operational efforts to improve our Star ratings, there can be no assurances that we will be successful in maintaining or improving our Star ratings in future years. Our quality bonus and rebates may continue to be negatively impacted and our Medicare Advantage and PDP contracts may be terminated by CMS. For example, two of our Medicare Advantage contracts have received notice of termination for plan year 2025 and other Medicare Advantage contracts have received Star scores of below 3.0 stars for two consecutive years and accordingly could be terminated for plan year 2026 if their Star scores do not improve. The attractiveness of our Medicare Advantage plans may be reduced if we are unable to maintain or improve these ratings, or if there are changes to the ratings system that make achieving and maintaining ratings of 3.0 stars or higher more difficult. CMS establishes annually different pricing components of the Medicare Advantage program that may not adequately reflect changes in the underlying health care costs, and which may reduce the profitability or desirability of various Medicare Advantage plans. For calendar year 2024, CMS estimates that the risk model revisions together with the impact of normalization will reduce payments by 2.16%. As a result of these changes, and our 2024 Medicare Advantage bid design and membership projections, we have established a premium deficiency reserve in connection with the 2024 Medicare Advantage business as of December 31, 2023. In addition, CMS' new risk model may not account for the full severity of several chronic conditions, which could also disproportionately affect the dual eligible population who are more medically complex and face additional socio-economic barriers to health compared to others. As a result of these changes and potential future changes to Medicare Advantage pricing components, we may not be able to design products that will be profitable, attractive or competitive for this population. In addition, proposed CMS regulations may require beneficiaries dually enrolled in Medicare and Medicaid to receive integrated care through Medicare Advantage D-SNPs, which may restrict our product offerings in some geographic service areas. There are also specific additional risks under Title XVIII, Part D of the Social Security Act associated with our provision of Medicare Part D prescription drug benefits as part of our Medicare Advantage plan offerings. These risks include potential uncollectibility of receivables, inadequacy of pricing assumptions, inability to receive and process information and increased pharmaceutical costs, as well as the underlying seasonality of this business, and extended settlement periods for claims submissions. Our failure to comply with Part D program requirements can result in financial and/or operational sanctions on our Part D products, as well as on our Medicare Advantage products that offer no prescription drug coverage.

The market price of our common stock is generally subject to volatility, and there can be no assurances regarding the level or stability of our share price at any time. The market price of our common stock may decline as a result of previous or future acquisitions and divestitures if, among other things, we are unable to achieve the expected cost and revenue synergies or growth in earnings, the operational cost savings estimates are not realized as rapidly or to the extent anticipated, the transaction costs related to the acquisitions or divestitures are greater than expected or if any financing related to the transactions is on unfavorable terms. The market price of our common stock also may decline if we do not achieve the perceived benefits of such acquisitions and divestitures as rapidly or to the extent anticipated by financial or industry analysts or if the effect of the acquisitions and divestitures on our financial condition, results of operations or cash flows is not consistent with the expectations of financial or industry analysts. 35 35 35 Table of Contents Table of Contents

The market price of our common stock is generally subject to volatility, and there can be no assurances regarding the level or stability of our share price at any time. The market price of our common stock may decline as a result of previous or future acquisitions and divestitures if, among other things, we are unable to achieve the expected cost and revenue synergies or growth in earnings, the operational cost savings estimates are not realized as rapidly or to the extent anticipated, the transaction costs related to the acquisitions or divestitures are greater than expected or if any financing related to the transactions is on unfavorable terms. The market price of our common stock also may decline if we do not achieve the perceived benefits of such acquisitions and divestitures as rapidly or to the extent anticipated by financial or industry analysts or if the effect of the acquisitions and divestitures on our financial condition, results of operations or cash flows is not consistent with the expectations of financial or industry analysts. 34 34 34 Table of Contents Table of Contents

Data security risks have significantly increased in recent years in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct our operations and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties, including foreign states and state-supported actors. Data security risks also may derive from fraud or malice on the part of our team members or third-party vendors, or may result from human error, software bugs, server malfunctions, software or hardware failure or other technological failure. As these threats continually evolve, we may be required to devote substantial additional resources to modify or enhance our operational or security systems and networks and our cybersecurity program. Our operations rely on the secure transmission, storage and other processing of confidential, personal, proprietary, sensitive and other information in our computer systems and networks as well as third-party vendors with which we do business. Security breaches of such systems and networks may arise from external or internal threats. External breaches may result from, among other things, a threat actor hacking personal information for financial gain, attempting to fraudulently induce our employees into disclosing usernames, passwords or other sensitive information to obtain unauthorized access to our systems, attempting to cause harm or interruption to our operations or intending to obtain competitive information. Internal breaches may result from, among other things, inappropriate security access to confidential information by rogue team members, consultants or third-party vendors. In addition, the rapid evolution and increased adoption of artificial intelligence technologies may intensify these risks by making such security breaches more difficult to detect, contain or mitigate. Any security breach could result in the misappropriation, loss or other unauthorized access, disclosure or use of confidential member information, including personal information, financial data, competitively sensitive information or other proprietary data, whether by us or a third party, and could have a material adverse effect on our business reputation, financial condition, cash flows or results of operations. We maintain a system of prevention and detection controls through our security programs; however, our prevention and detection controls may not prevent or identify all such attacks on a timely basis, or at all. Despite our best attempts to maintain adherence to data privacy and security best practices, as well as compliance with applicable laws, regulations, rules, standards and contractual requirements, our facilities, systems and networks, and those of our third-party vendors, may be vulnerable to data privacy or security breaches, acts of vandalism or theft, malware, ransomware, social engineering attacks (including phishing attacks), denial-of-service attacks or other forms of cyber-attack, misplaced or lost data including paper or electronic media, programming and/or human errors or other similar events. We experience attempted external hacking or malicious attacks on a regular basis. In the past, we have experienced cyber-attacks and data breaches, and our third-party vendors have experienced cyber-attacks and security incidents, resulting in disclosure of confidential or protected health information that have not resulted in any material financial loss or penalty to date. For example, in 2024, Change Healthcare, Inc. experienced a cybersecurity incident that disrupted its ability to provide services, impacting payers, providers and pharmacies nationwide, including Centene and some of its subsidiaries. While this incident did not have a material impact on Centene, there can be no assurance that this incident and other privacy or security breaches will not require us to expend significant resources to remediate any damage, interrupt our operations and damage our business or reputation, subject us to state, federal, or international agency review, and result in enforcement actions, material fines and penalties, litigation or other actions which could have a material adverse effect on our business, reputation, results of operations, financial condition and cash flows. 26 26 26 Table of Contents Table of Contents While we generally perform data security due diligence on our key service providers, we do not control our service providers and our ability to monitor their data security practices is limited. Some of our third-party vendors may store or have access to our data and may not have effective controls, processes, or practices to protect our information from loss, unauthorized disclosure, unauthorized use or misappropriation, cyber-attacks or other data security incidents. For example, hardware, software, and other applications and updates procured from service providers may contain defects that have and may in the future unexpectedly restrict or prevent access to or interfere with the proper operation of our information systems and hardware. A vulnerability in our service providers' hardware, software or systems, a failure of our service providers' safeguards, policies or procedures, or a cyber-attack or other data security incident affecting any of these third-party vendors could harm our business. Additionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that our insurer will not deny coverage as to any future claim.

Data security risks have significantly increased in recent years in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct our operations and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties, including foreign states and state-supported actors. Data security risks also may derive from fraud or malice on the part of our team members or third parties, or may result from human error, software bugs, server malfunctions, software or hardware failure or other technological failure. As these threats continually evolve, we may be required to devote substantial additional resources to modify or enhance our operational or security systems and networks and our cybersecurity program. Our operations rely on the secure transmission, storage and other processing of confidential, personal, proprietary, sensitive and other information in our computer systems and networks as well as those of third parties with which we do business. Security breaches of such systems and networks may arise from external or internal threats. External breaches may result from, among other things, a threat actor hacking personal information for financial gain, attempting to cause harm or interruption to our operations or intending to obtain competitive information. Internal breaches may result from, among other things, inappropriate security access to confidential information by rogue team members, consultants or third-party service providers. Any security breach could result in the misappropriation, loss or other unauthorized access, disclosure or use of confidential member information, including personal information, financial data, competitively sensitive information or other proprietary data, whether by us or a third party, and could have a material adverse effect on our business reputation, financial condition, cash flows or results of operations. We maintain a system of prevention and detection controls through our security programs; however, our prevention and detection controls may not prevent or identify all such attacks on a timely basis, or at all. Despite our best attempts to maintain adherence to data privacy and security best practices, as well as compliance with applicable laws, regulations, rules, standards and contractual requirements, our facilities, systems and networks, and those of our third-party service providers, may be vulnerable to data privacy or security breaches, acts of vandalism or theft, malware, ransomware, social engineering attacks (including phishing attacks), denial-of-service attacks or other forms of cyber-attack, misplaced or lost data including paper or electronic media, programming and/or human errors or other similar events. We experience attempted external hacking or malicious attacks on a regular basis. In the past, we have had data breaches resulting in disclosure of confidential or protected health information that have not resulted in any material financial loss or penalty to date. For example, in 2021, we learned that Accellion, a third-party data transfer provider with whom we contract, had a system vulnerability that resulted in unauthorized access to certain sensitive data of our customers, including protected health information, as well as unauthorized access to the data of several of Accellion's other clients. This incident led to putative class action lawsuits that were filed against us and our subsidiaries, Health Net, LLC, Health Net of California, Inc., HNL, Health Net Community Solutions, Inc., and California Health & Wellness, and Accellion on behalf of the affected customers. There can be no assurance that this incident and other privacy or security breaches will not require us to expend significant resources to remediate any damage, interrupt our operations and damage our business or reputation, subject us to state, federal, or international agency review, and result in enforcement actions, material fines and penalties, litigation or other actions which could have a material adverse effect on our business, reputation, results of operations, financial condition and cash flows. While we generally perform data security due diligence on our key service providers, we do not control our service providers and our ability to monitor their data security practices is limited. Some of our vendors may store or have access to our data and may not have effective controls, processes, or practices to protect our information from loss, unauthorized disclosure, unauthorized use or misappropriation, cyber-attacks or other data security incidents. A vulnerability in our service providers' software or systems, a failure of our service providers' safeguards, policies or procedures, or a cyber-attack or other data security incident affecting any of these third parties could harm our business. Additionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that our insurer will not deny coverage as to any future claim. 26 26 26 Table of Contents Table of Contents

The enactment of the ACA in March 2010 transformed the U.S. healthcare delivery system through a series of complex initiatives; however, the ACA has faced, and continues to face, administrative, judicial and legislative challenges to repeal or change certain of its significant provisions. Changes to portions or the entirety of the ACA or significant changes to the other government-sponsored healthcare programs in which we participate, as well as judicial interpretations in response to constitutional and other legal challenges, as well as the uncertainty generated by such actual or potential challenges, could materially and adversely affect our business and financial condition, results of operations or cash flows. The ultimate content, timing or effect of any potential future legislation or litigation and the outcome of other lawsuits cannot be predicted. 29 29 29 Table of Contents Table of Contents Among the most significant of the ACA's provisions was the establishment of the Health Insurance Marketplace for individuals and small employers to purchase health insurance coverage that included a minimum level of benefits and restrictions on coverage limitations and premium rates, as well as the expansion of Medicaid coverage to all individuals under age 65 with incomes up to 138% of the federal poverty level beginning January 1, 2014, subject to each state's election. The HHS additionally indicated that it would consider a limited number of premium assistance demonstration proposals from states that want to privatize Medicaid expansion. Several states in which we operate have obtained Section 1115 waivers to implement the ACA's Medicaid expansion in ways that extend beyond the flexibility provided by the federal law, with additional states pursuing Section 1115 waivers regarding eligibility criteria, benefits, and cost-sharing, and provider payments across their Medicaid programs. Litigation challenging Section 1115 waiver activity for both new and previously approved waivers is expected to continue both through administrative actions and the courts. Additionally, the U.S. Department of Labor issued a final rule on June 19, 2018, which expanded flexibility regarding the regulation and formation of association health plans (AHPs) provided by small employer groups and associations. On June 13, 2019, the HHS, the U.S. Department of Labor and the U.S. Treasury issued a final rule allowing employers of all sizes that do not offer a group coverage plan to fund a new kind of health reimbursement arrangement (HRA), known as an individual coverage HRA (ICHRA). Beginning January 1, 2020, employees became able to use employer-funded ICHRAs to buy individual-market insurance, including insurance purchased on the public exchanges formed under the ACA. It remains uncertain whether or when the current or future administrations will propose changes to these insurance plan options that are not required to meet ACA requirements, and what the impact of such potential changes may be. These changes and other potential changes involving the functioning of the Health Insurance Marketplace as a result of additional new state and federal legislation, regulation, executive action or litigation, including those related to extending enrollment periods, increasing eligibility in the program design, changing the eligibility and amount of the advanced premium tax credit, additional payment integrity initiatives that have the effect of reducing membership and expanding navigator services the timing of those changes and our ability to respond to any changes in compliance with our state and federal timing requirements, could impact our business and results of operations adversely or in other ways that we do not currently anticipate.

The enactment of the ACA in March 2010 transformed the U.S. healthcare delivery system through a series of complex initiatives; however, the ACA has faced, and continues to face, administrative, judicial and legislative challenges to repeal or change certain of its significant provisions. Changes to portions or the entirety of the ACA, as well as judicial interpretations in response to constitutional and other legal challenges, as well as the uncertainty generated by such actual or potential challenges, could materially and adversely affect our business and financial condition, results of operations or cash flows. The ultimate content, timing or effect of any potential future legislation or litigation and the outcome of other lawsuits cannot be predicted. Among the most significant of the ACA's provisions was the establishment of the Health Insurance Marketplace for individuals and small employers to purchase health insurance coverage that included a minimum level of benefits and restrictions on coverage limitations and premium rates, as well as the expansion of Medicaid coverage to all individuals under age 65 with incomes up to 138% of the federal poverty level beginning January 1, 2014, subject to each state's election. The HHS additionally indicated that it would consider a limited number of premium assistance demonstration proposals from states that want to privatize Medicaid expansion. Several states in which we operate have obtained Section 1115 waivers to implement the ACA's Medicaid expansion in ways that extend beyond the flexibility provided by the federal law, with additional states pursuing Section 1115 waivers regarding eligibility criteria, benefits, and cost-sharing, and provider payments across their Medicaid programs. Litigation challenging Section 1115 waiver activity for both new and previously approved waivers is expected to continue both through administrative actions and the courts. The enhanced eligibility for the advance premium tax credit for Marketplace members that was extended by the Inflation Reduction Act expires December 31, 2025. If this credit is not renewed or extended, or if eligibility for this credit is limited, it could materially adversely impact our Marketplace membership. Additionally, the U.S. Department of Labor issued a final rule on June 19, 2018, which expanded flexibility regarding the regulation and formation of association health plans (AHPs) provided by small employer groups and associations. On June 13, 2019, the HHS, the U.S. Department of Labor and the U.S. Treasury issued a final rule allowing employers of all sizes that do not offer a group coverage plan to fund a new kind of health reimbursement arrangement (HRA), known as an individual coverage HRA (ICHRA). Beginning January 1, 2020, employees became able to use employer-funded ICHRAs to buy individual-market insurance, including insurance purchased on the public exchanges formed under the ACA. It remains uncertain whether or when the current or future administrations will propose changes to restrict these insurance plan options that are not required to meet ACA requirements, and what the impact of such potential changes may be. These changes and other potential changes involving the functioning of the Health Insurance Marketplace as a result of additional new state and federal legislation, regulation, executive action or litigation, including those related to extending enrollment periods, increasing eligibility in the program design, changing the eligibility and amount of the advanced premium tax credit and expanding navigator services, could impact our business and results of operations adversely or in other ways that we do not currently anticipate.

As part of our normal operations, we and our third-party vendors collect, retain and otherwise process confidential member information, including personal information. We and our third-party vendors are subject to various federal, state and international laws, regulations, rules, standards and contractual requirements regarding the use, disclosure and other processing of confidential member information (including personal information), including HIPAA, the HITECH Act, the Gramm-Leach-Bliley Act, which require us to protect the privacy of medical records and safeguard personal health information we maintain, use and otherwise process. Additionally, legislative and regulatory action at the federal, state and local levels is emerging in the areas of artificial intelligence and automation. These laws, rules and contractual requirements are subject to change and the regulatory environment surrounding data privacy and security laws is increasingly demanding. Compliance with existing or new data privacy and security laws, regulations and requirements may result in increased operating costs, and may constrain or require us to alter our business model or operations. In some cases, such laws, rules, regulations and contractual requirements also apply to our third-party vendors and require us to obtain written assurances of their compliance with such requirements. Certain of our businesses are also subject to the Payment Card Industry Data Security Standard, which is a multifaceted security standard that is designed to protect credit card account data as mandated by payment card industry entities. 32 32 32 Table of Contents Table of Contents From time to time, Congress also has considered, and may currently be considering, various proposals for other data privacy and security laws to which we may become subject if passed. We expect there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection, information security, and artificial intelligence and automation in the U.S. and other jurisdictions, and we cannot yet determine the impacts such future laws, regulations and standards may have on our businesses or the businesses of our customers. At the U.S. state level, we may be subject to laws and regulations such as the California Consumer Privacy Act (as amended by the California Privacy Rights Act, collectively, the CCPA), which broadly defines personal information and gives California residents expanded privacy rights and protections, such as affording them the right to access and request deletion of their information and to opt out of certain sharing and sales of personal information. Numerous other states also have enacted, or are in the process of enacting or considering, comprehensive state-level data privacy and security laws and regulations that share similarities with the CCPA. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. Further, while we strive to publish and prominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, regulations, rules and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security. Although we endeavor to comply with our privacy policies and to obtain written assurances of our third-party vendors' compliance, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other documentation that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any concerns about our data privacy and security practices, even if unfounded, could damage our reputation and adversely affect our business. We increasingly rely on new and evolving technologies, including those powered by or incorporating artificial intelligence, as part of our internal operations and in the delivery of our products and services. These new technologies could present ethical, technological, legal, regulatory and other risks. We are required by certain regulators to develop and implement policies and procedures to promote and sustain the responsible design, development, and use of artificial intelligence. Any inadequacy or failure in designing, implementing or complying with such policies and procedures, or failure in complying with emerging laws, regulations and standards governing artificial intelligence, could adversely affect our operations that use or rely on artificial intelligence, or could materially and adversely affect our business, reputation, results of operations, financial position and cash flows. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, regulations, rules, standards or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations. 33 33 33 Table of Contents Table of Contents

As part of our normal operations, we and our third party vendors collect, retain and otherwise process confidential member information, including personal information. We and our third party vendors are subject to various federal, state and international laws, regulations, rules, standards and contractual requirements regarding the use, disclosure and other processing of confidential member information (including personal information), including HIPAA, the HITECH Act, the Gramm-Leach-Bliley Act, the GDPR and its equivalent in the United Kingdom (U.K. GDPR), which require us to protect the privacy of medical records and safeguard personal health information we maintain, use and otherwise process. These laws, rules and contractual requirements are subject to change and the regulatory environment surrounding data privacy and security laws is increasingly demanding. Compliance with existing or new data privacy and security laws, regulations and requirements may result in increased operating costs, and may constrain or require us to alter our business model or operations. In some cases, such laws, rules, regulations and contractual requirements also apply to our third-party providers and require us to obtain written assurances of their compliance with such requirements. Certain of our businesses are also subject to the Payment Card Industry Data Security Standard, which is a multifaceted security standard that is designed to protect credit card account data as mandated by payment card industry entities. From time to time, Congress also has considered, and may currently be considering, various proposals for other data privacy and security laws to which we may become subject if passed. At the U.S. state level, we may be subject to laws and regulations such as the California Consumer Privacy Act (as amended by the California Privacy Rights Act, collectively, the CCPA), which broadly defines personal information and gives California residents expanded privacy rights and protections, such as affording them the right to access and request deletion of their information and to opt out of certain sharing and sales of personal information. Numerous other states also have enacted, or are in the process of enacting or considering, comprehensive state-level data privacy and security laws and regulations that share similarities with the CCPA. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. We are subject to the data privacy laws of non-U.S. jurisdictions, such as the GDPR and U.K. GDPR, which impose stringent operational requirements on both data controllers and data processors and introduces significant penalties for non-compliance. While the GDPR and the U.K. GDPR remain substantially similar for the time being, the U.K. government has announced that it would seek to chart its own path on data protection and reform its relevant laws, including in ways that may differ from the GDPR. Legal developments in the European Economic Area (EEA) and the U.K. also have created complexity and uncertainty regarding processing and transfers of personal data from the EEA and the U.K. to the United States and other so-called third countries outside the EEA and the U.K. that have not been determined by the relevant data protection authorities to provide an adequate level of protection for privacy rights. Further, while we strive to publish and prominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, regulations, rules and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy and security. Although we endeavor to comply with our privacy policies and to obtain written assurances of our third party providers' compliance, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other documentation that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any concerns about our data privacy and security practices, even if unfounded, could damage our reputation and adversely affect our business. Any failure or perceived failure by us to comply with our privacy policies, or applicable data privacy and security laws, regulations, rules, standards or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may result in requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, legal liability, governmental investigations, enforcement actions, claims, fines, judgments, awards, penalties, sanctions and costly litigation (including class actions). Any of the foregoing could harm our reputation, distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations. 32 32 32 Table of Contents Table of Contents

A significant portion of our PDP membership is obtained from the auto-assignment of beneficiaries in CMS-designated regions where our PDP premium bids are below benchmarks of other plans' bids. In general, our premium bids are based on assumptions regarding PDP membership, utilization, drug costs, drug rebates and other factors for each region. Our 2025 PDP bids resulted in 33 of the 34 CMS regions for which we were below the benchmarks and one region for which we were above the benchmark. As of January 1, 2025, we experienced an increase to over 7.5 million PDP members compared to 6.9 million in December 2024, due to our 2025 bid positioning. If our future Part D premium bids are not below the CMS benchmarks, we risk losing PDP members who were previously assigned to us and we may not have additional PDP members auto-assigned to us, which could materially reduce our revenue. 21 21 21 Table of Contents Table of Contents The IRA is expected to substantially increase PDP's risk exposure in 2025. Under the IRA, PDP plan costs will increase significantly due to a reduction in members cost share (close of coverage gap, and the $2,000 cap on member out-of-pocket expenses) and a decrease in federal reinsurance (from 80% to 20%, while a greater portion of the plan drug costs will fall into the catastrophic phase). In the meantime, Part D risk sharing program thresholds would be applied to the increased Part D plan costs, so the plan cost at risk will be much greater before any risk sharing kicks in. These changes may lead to heightened underwriting risks and increased market volatility and uncertainty for 2025 bids, which could materially reduce our revenue and profit. The IRA also offers Part D enrollees the option to defer payment of out-of-pocket prescription drug costs across monthly payments throughout the benefit year instead of to the pharmacy at the point of sale under the Medicare Prescription Payment Plan (M3P). This change may lead to increased bad debt exposure along with potential challenges with collecting deductibles and other cost-sharing amounts from beneficiaries. The change may also lead to estimation uncertainty as we develop our experience with the M3P. Due to the uncertainty of the new Part D pricing structure, Centene has elected into the Part D Premium Stabilization Demonstration program, which subsidizes member premiums and provides additional protection through the risk corridor in the event of unforeseen losses, but such election may not be sufficient to offset the uncertainty or risks relating to our experience with M3P as well as the increased risk exposure.

A significant portion of our PDP membership is obtained from the auto-assignment of beneficiaries in CMS-designated regions where our PDP premium bids are below benchmarks of other plans' bids. In general, our premium bids are based on assumptions regarding PDP membership, utilization, drug costs, drug rebates and other factors for each region. Our 2024 PDP bids resulted in 30 of the 34 CMS regions in which we were below the benchmarks and 4 regions in which we were within the de minimis range, largely consistent with our 2023 PDP bids. As of January 1, 2024, we experienced an increase of 1.7 million PDP members compared to December 2023, due to our 2024 bid positioning. If our future Part D premium bids are not below the CMS benchmarks, we risk losing PDP members who were previously assigned to us and we may not have additional PDP members auto-assigned to us, which could materially reduce our revenue. 21 21 21 Table of Contents Table of Contents The Inflation Reduction Act (IRA) is expected to substantially increase PDP's risk exposure in 2025. Under IRA, PDP plan costs will increase significantly due to a reduction in members cost share (close of coverage gap, and the $2,000 cap on member out of pocket expenses) and a decrease in federal reinsurance (from 80% to 20%, while a greater portion of the plan drug costs will fall into the catastrophic phase). In the meantime, Part D risk sharing program thresholds would be applied to the increased Part D plan costs, so the plan cost at risk will be much greater before any risk sharing kicks in. These changes may lead to heightened underwriting risks and increased market volatility and uncertainty for 2025 bids, which could materially reduce our revenue and profit.

Our business is extensively regulated by the states in which we operate and by the federal government. Changes in political party, or administrations at the state or federal level may change the attitude or public commentary towards healthcare programs and result in changes to the existing legislative or regulatory environment, changes in the application of existing laws and regulations, or changes to funding available for healthcare programs. In each of the jurisdictions in which we operate, we are regulated by the relevant insurance, health, and/or human services or government departments that oversee the activities of MCOs providing or arranging to provide services to Medicaid, Medicare, Health Insurance Marketplace enrollees or other beneficiaries. 30 30 30 Table of Contents Table of Contents The frequent enactment of, changes to, or interpretations of laws and regulations could, among other things: force us to restructure our relationships with providers within our network; require us to implement additional or different programs and systems; restrict revenue and enrollment growth; increase our healthcare and administrative costs; impose additional capital and surplus requirements; modify how we contract, pay and interact with brokers, enact additional payment integrity initiatives that have the effect of reducing membership and increase or change our liability to members in the event of malpractice by our contracted providers. In 2023, HHS finalized transparency requirements for artificial intelligence and other predictive algorithms used in certified health information technology, such as decision support interventions. Changes to laws and regulations regarding how we may use artificial intelligence could make it harder for us to conduct our business using artificial intelligence; require us to retrain our artificial intelligence; or prevent or limit our use of artificial intelligence. Our use of artificial intelligence technologies could also result in additional compliance costs; regulatory investigations, actions, fines or penalties; and consumer or other lawsuits. To the extent that we rely on or use the output of artificial intelligence, any inaccuracies, biases or errors could have unfavorable impacts on us, our business and our results of operations or financial condition. Additionally, the taxes and fees paid to federal, state, local and international governments may increase due to several factors, including: enactment of, changes to or interpretations of tax laws and regulations, audits by government authorities, geographic expansions into higher taxing jurisdictions and the effect of expansions into international markets. We are often required to maintain a minimum medical loss ratio (MLR) or share profits in excess of certain levels, which may be retroactive. In certain circumstances, our plans have returned premiums back to the states, enrollees or other beneficiaries in the event profits exceed established levels or MLR does not meet the minimum requirement. The amount of premium returned may include transparent pharmacy pricing and rebate initiatives. Other states may require us to meet certain performance and quality metrics in order to maintain our contracts or receive additional or full contractual revenue. In addition, our health plan subsidiaries must comply with minimum statutory capital and other financial solvency requirements, such as deposit and surplus requirements. The governmental healthcare programs in which we participate are subject to the satisfaction of certain regulations and performance standards. Regulators require numerous steps for continued implementation of the ACA, including the promulgation of a substantial number of potentially more onerous federal regulations. If we fail to effectively or timely implement or appropriately adjust our operational and strategic initiatives with respect to the implementation of healthcare reform, or do not do so as effectively as our competitors, our results of operations may be materially adversely affected. For example, CMS regulations will require beneficiaries dually enrolled in Medicare and in a Medicaid managed care plan to receive integrated care through the Medicaid company's Medicare Advantage D-SNPs beginning in 2030, with certain restrictions beginning in 2027, which may restrict our product offerings in some geographic service areas. However, some states have already moved or are planning to exclusively align dual-eligible enrollment under an aligned D-SNP before this timeframe. Our inability to improve or maintain adequate quality scores and Star ratings to meet government performance requirements or to match the performance of our competitors could result in limitations to our participation in or exclusion from these or other government programs. Specifically, several of our Medicaid contracts require us to maintain a Medicare health plan. In April 2016, CMS issued final regulations that revised existing Medicaid managed care rules by establishing a minimum MLR standard for Medicaid of 85% and strengthening provisions related to network adequacy and access to care, enrollment and disenrollment protections, beneficiary support information, continued service during beneficiary appeals, and delivery system and payment reform initiatives, among others. In May 2024, CMS issued further revisions to the Medicaid managed care regulations which become effective between July 2024 and July 2027. The 2024 Final Rule focused on changes in areas including access to care, delivery system and payment reform initiatives, MLR standards and quality oversight. Although we strive to comply with all existing regulations and to meet performance standards applicable to our business, failure to meet these requirements could result in financial fines and penalties. Also, states or other governmental entities may carve out certain services and benefits from the government programs in which we participate, or they may not allow us to continue to participate in their government programs or we may fail to win procurements to participate in such programs, any of which could materially and adversely affect our results of operations, financial condition and cash flows. 31 31 31 Table of Contents Table of Contents

Our business is extensively regulated by the states in which we operate and by the federal government. In addition, the managed care industry has received negative publicity that has led to increased legislation, regulation, review of industry practices and private litigation in the commercial sector. Such negative publicity may adversely affect our stock price and damage our reputation in various markets. In each of the jurisdictions in which we operate, we are regulated by the relevant insurance, health, and/or human services or government departments that oversee the activities of MCOs providing or arranging to provide services to Medicaid, Medicare, Health Insurance Marketplace enrollees or other beneficiaries. For example, our health plan subsidiaries must comply with minimum statutory capital and other financial solvency requirements, such as deposit and surplus requirements. 29 29 29 Table of Contents Table of Contents The frequent enactment of, changes to, or interpretations of laws and regulations could, among other things: force us to restructure our relationships with providers within our network; require us to implement additional or different programs and systems; restrict revenue and enrollment growth; increase our healthcare and administrative costs; impose additional capital and surplus requirements; modify how we contract, pay and interact with brokers, and increase or change our liability to members in the event of malpractice by our contracted providers. In addition, changes in political party, or administrations at the state or federal level in the United States or internationally may change the attitude towards healthcare programs and result in changes to the existing legislative or regulatory environment. Additionally, the taxes and fees paid to federal, state, local and international governments may increase due to several factors, including: enactment of, changes to or interpretations of tax laws and regulations, audits by governmental authorities, geographic expansions into higher taxing jurisdictions and the effect of expansions into international markets. We are often required to maintain a minimum HBR or share profits in excess of certain levels, which may be retroactive. In certain circumstances, our plans have returned premiums back to the states, enrollees or other beneficiaries in the event profits exceed established levels or HBR does not meet the minimum requirement. The amount of premium returned may include transparent pharmacy pricing and rebate initiatives. Other states may require us to meet certain performance and quality metrics in order to maintain our contracts or receive additional or full contractual revenue. The governmental healthcare programs in which we participate are subject to the satisfaction of certain regulations and performance standards. Regulators require numerous steps for continued implementation of the ACA, including the promulgation of a substantial number of potentially more onerous federal regulations. If we fail to effectively implement or appropriately adjust our operational and strategic initiatives with respect to the implementation of healthcare reform, or do not do so as effectively as our competitors, our results of operations may be materially adversely affected. For example, under the ACA, Congress authorized CMS and the states to implement managed care demonstration programs to serve dually eligible beneficiaries to improve the coordination of their care. Participation in these demonstration programs is subject to CMS approval and the satisfaction of conditions to participation, including meeting certain performance requirements. Our inability to improve or maintain adequate quality scores and Star ratings to meet government performance requirements or to match the performance of our competitors could result in limitations to our participation in or exclusion from these or other government programs. Specifically, several of our Medicaid contracts require us to maintain a Medicare health plan. In April 2016, CMS issued final regulations that revised existing Medicaid managed care rules by establishing a minimum medical loss ratio standard for Medicaid of 85% and strengthening provisions related to network adequacy and access to care, enrollment and disenrollment protections, beneficiary support information, continued service during beneficiary appeals, and delivery system and payment reform initiatives, among others. On November 13, 2020, CMS finalized revisions to the Medicaid managed care regulations, many of which became effective in December 2020. While not a wholesale revision of the 2016 regulations, the November 2020 final rule adopted changes in areas including network adequacy, beneficiary protections, quality oversight and the establishment of capitation rates and payment policies. Although we strive to comply with all existing regulations and to meet performance standards applicable to our business, failure to meet these requirements could result in financial fines and penalties. Also, states or other governmental entities may carve out certain services and benefits from the government programs in which we participate, or they may not allow us to continue to participate in their government programs or we may fail to win procurements to participate in such programs, any of which could materially and adversely affect our results of operations, financial condition and cash flows. In addition, as a result of the expansion of our businesses and operations conducted in foreign countries, we face political, economic, legal, compliance, regulatory, operational and other risks and exposures that are unique and vary by jurisdiction. These foreign regulatory requirements with respect to, among other items, environmental, tax, licensing, intellectual property, privacy, data protection, investment, capital, management control, labor relations, and fraud and corruption regulations are different than those faced by our domestic businesses. In addition, we are subject to U.S. laws that regulate the conduct and activities of U.S.-based businesses operating abroad, such as the FCPA, and as well as anti-bribery and anti-corruption laws in other jurisdictions (such as the U.K. Bribery Act). Any failure to comply with laws and regulations governing our conduct outside the United States or to successfully navigate international regulatory regimes that apply to us could subject us to civil and criminal penalties and could adversely affect our ability to market our products and services, which may have a material adverse effect on our business, financial condition, and results of operations. 30 30 30 Table of Contents Table of Contents

We provide services and support to manage our members' pharmacy benefits. These services are subject to extensive federal, state and local laws and regulations. In addition, federal and state legislatures and regulators regularly consider new regulations for the industry that could materially and adversely affect current industry practices, including ownership of pharmacies by insurance companies, the receipt or disclosure of rebates from pharmaceutical companies, the development and use of formularies and the use of average wholesale prices. Our specialty pharmacy business would be materially and adversely affected by an inability to contract on favorable terms with pharmaceutical manufacturers and other suppliers, though we use a network of specialty pharmacies beyond AcariaHealth. Disruptions at any of our specialty pharmacies due to an event that is beyond our control could affect our ability to process and dispense prescriptions in a timely manner and could materially and adversely affect our results of operations, financial condition and cash flows. Contracts in the prescription drug industry generally use pricing metrics published by third parties as benchmarks to establish pricing for prescription drugs. If these benchmarks are no longer published by third parties, or we, or our contractual partners, adopt other pricing benchmarks for establishing prices within the industry, or legislation or regulation requires the use of other pricing benchmarks, or future changes in drug prices substantially deviate from our expectations, the short- or long-term impacts may have a material adverse effect on our business and results of operations.

We historically provided PBM services and continue to provide certain pharmacy benefits administration and specialty pharmacy services. We have transitioned substantially all of our PBM business to a third party as of January 1, 2023. These businesses are subject to federal and state laws and regulations that, among other requirements, govern the relationships of the business with pharmaceutical manufacturers, physicians, pharmacies, customers, and consumers. For example, several states have made claims related to PBM services including among other things, (i) claims seeking payment for services already reimbursed, (ii) claims alleging the failure to accurately disclose the true cost of the PBM services, and (iii) claims alleging inflation of dispensing fees for prescription drugs. For additional information, see Note 17. Contingencies to the consolidated financial statements included in Part II of this Annual Report on Form 10-K. Additional claims, reviews, or investigations may still be brought by other states, the federal government, or shareholder litigants. Our specialty pharmacy business is subject to extensive federal, state and local laws and regulations. In addition, federal and state legislatures and regulators regularly consider new regulations for the industry that could materially and adversely affect current industry practices, including the receipt or disclosure of rebates from pharmaceutical companies, the development and use of formularies and the use of average wholesale prices. Our specialty pharmacy business would be materially and adversely affected by an inability to contract on favorable terms with pharmaceutical manufacturers and other suppliers, though we use a network of specialty pharmacies beyond AcariaHealth. Disruptions at any of our specialty pharmacies due to an event that is beyond our control could affect our ability to process and dispense prescriptions in a timely manner and could materially and adversely affect our results of operations, financial condition and cash flows. Contracts in the prescription drug industry generally use pricing metrics published by third parties as benchmarks to establish pricing for prescription drugs. If these benchmarks are no longer published by third parties, or we, or our contractual partners, adopt other pricing benchmarks for establishing prices within the industry, or legislation or regulation requires the use of other pricing benchmarks, or future changes in drug prices substantially deviate from our expectations, the short- or long-term impacts may have a material adverse effect on our business and results of operations.