Molina Healthcare Inc.: 10-K Risk Factor Changes

The success of our business and the ability to execute our strategy are highly dependent on the leadership of Mr. Zubretsky, our chief executive officer, and that of our other key executive officers and employees. The loss of their leadership, expertise, and experience could negatively impact our operations. In addition, recently the threat environment for senior health care executives has worsened considerably, and the need for appropriate security to combat such threats could distract or disrupt senior management from performing their job responsibilities. Our ability to replace our leaders or any other key employee may be difficult and may take an extended period of time because of the limited number of individuals in the healthcare industry who have the breadth and depth of skills and experience necessary to operate and lead a business such as ours. Competition to hire from this limited pool is intense, and we may be unable to hire, train, retain, or motivate these personnel. Adverse changes to our corporate culture or industry perception could harm our business operations and our ability to retain key executive officers and employees. If we are unsuccessful in recruiting, retaining, managing, protecting, and motivating such personnel, our business, financial condition, cash flows, or results of operations could be adversely affected.

The success of our business and the ability to execute our strategy are highly dependent on the efforts of Mr. Zubretsky, our chief executive officer, and our other key executive officers and employees. The loss of their leadership, expertise, and experience could negatively impact our operations. Our ability to replace them or any other key employee may be difficult and may take an extended period of time because of the limited number of individuals in the healthcare industry who have the breadth and depth of skills and experience necessary to operate and lead a business such as ours. Competition to hire from this limited pool is intense, and we may be unable to hire, train, retain, or motivate these personnel. If we are unsuccessful in recruiting, retaining, managing, and motivating such personnel, our business, financial condition, cash flows, or results of operations could be adversely affected.

As part of our normal operations, we routinely collect, process, store (both onsite and in the cloud), and transmit large amounts of data, including sensitive personal information as well as proprietary or confidential information relating to our business or third parties. Our information technology systems and safety control systems that we rely upon are subject to a growing number of threats, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of malicious code embedded in open-source software, or misconfigurations, bugs or other vulnerabilities in commercial software that is integrated into our (or our suppliers’ or service providers’) IT systems, products or services. Such threats may result in the penetration of our network or that of our vendors or suppliers, and the misappropriation of our confidential information, system disruptions, damage to our information systems, or shutdowns of our information technology environment. They also may be able to develop and deploy viruses, worms, and other malicious software programs that attack our systems or otherwise exploit security vulnerabilities. We may also face increased cybersecurity risks due to our reliance on internet technology and our remote working environment, which may create additional opportunities for cybercriminals to exploit vulnerabilities. These same risks are also faced by our significant vendors who are also in possession of sensitive confidential information. Because the techniques used to circumvent, gain access to, or sabotage security systems can be highly sophisticated, may use advanced technologies (such as artificial intelligence) and change frequently, they often are not recognized until launched against a target, and may originate from less regulated and remote areas around the world. We may be unable to anticipate these techniques or implement adequate preventive measures, resulting in potential inappropriate access, breach, or data loss and damage to our systems. Our systems are also subject to compromise from internal threats such as improper action by employees, including malicious insiders, or by vendors, counterparties, and other third parties with otherwise legitimate access to our systems. Our policies, employee training (including phishing prevention training), procedures, and technical safeguards may not prevent all improper access to our network or proprietary or confidential information by employees, vendors, counterparties, or other third parties. Our facilities and IT systems, or those of our service providers, may also be vulnerable to security incidents or security attacks, acts of vandalism or theft, misplaced or lost data, human errors, or other similar events that could negatively affect our systems and our and our members’ data. For example, in July 2024, a software update by CrowdStrike Holdings, Inc. (“CrowdStrike”), a cybersecurity technology company, cause widespread crashes of Windows systems into which it was integrated. Although we did not experience any material impacts as a result of the CrowdStrike software update, we could in the future experience similar third-party software-induced interruptions to our operations. Moreover, we face the ongoing challenge of managing access controls in a complex environment. The process of enhancing our protective measures can itself create a risk of systems disruptions and security issues. Given the breadth of our operations and the increasing sophistication of cyberattacks, a particular incident could occur and persist for an extended period of time before being detected. The extent of a particular cyberattack and the steps that we may need to take to investigate the attack may take a significant amount of time before such an investigation could be completed and full and reliable information about the incident is known. During such time, the extent of any harm or how best to remediate it might not be known, which could further increase the risks, costs, and consequences of a data security incident. In addition, our systems must be routinely updated, patched, and upgraded to protect against known vulnerabilities. The volume of new software vulnerabilities has increased substantially, as has the importance of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be updated. We are at risk that cyber attackers exploit these known vulnerabilities before they have been addressed. The complexity of our systems and platforms, the increased frequency at which vendors are issuing security patches to their products, our need to test patches and, in some instances, coordinate with third parties before they can be deployed, all could further increase our risks. Where doing so is necessary in order to conduct our business, we also provide sensitive personal member information, as well as proprietary or confidential information relating to our business, to our third-party service providers. Those third-party service providers may also be subject to data intrusions or data breaches. For example, in February 2024, Change Healthcare (“CHC”), a major claims processing vendor to Molina, experienced a significant cybersecurity incident and has since notified Molina that certain members’ data has been breached. Though the CHC incident was not material to us, any compromise of the confidential data of our members, employees, or business, or the failure to prevent or mitigate the loss of or damage to this data through breach, could result in operational, reputational, competitive, or other business harm, as well as financial costs and regulatory action. The Company maintains cybersecurity insurance in the event of an information security or cyber incident. However, the coverage may not be sufficient to cover all financial losses. In the future, we may be subject to litigation and governmental investigations related to cyber-attacks and security breaches. Any such future litigation or governmental investigation could divert the attention of management from the operation of our business, result in reputational damage, and have a material adverse impact on our business, cash flows, financial condition, and results of operations. Moreover, our programs to detect, contain, and respond to data security incidents as well as contingency plans and insurance coverage for potential liabilities of this nature may not be sufficient to cover all claims and liabilities. Noncompliance with any privacy, security or data protection laws and regulations, or any security breach, cyber-attack, or cyber-security breach, and any incident involving the misappropriation, theft, loss, or other unauthorized disclosure or use of, or access to, sensitive or confidential information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause membership losses and contract breaches, and could also result in regulatory enforcement actions, material fines and penalties, litigation, or other actions that could have a material adverse effect on our business, cash flows, financial condition, or results of operations.

As part of our normal operations, we routinely collect, process, store, and transmit large amounts of data, including sensitive personal information as well as proprietary or confidential information relating to our business or third parties. To ensure information security, we have implemented controls designed to protect the confidentiality, integrity and availability of this data and the systems that store and transmit such data. However, our information technology systems and safety control systems are subject to a growing number of threats from computer programmers, hackers, and other adversaries that may be able to penetrate our network security and misappropriate our confidential information, create system disruptions, or cause damage, security issues, or shutdowns. They also may be able to develop and deploy viruses, worms, and other malicious software programs that attack our systems or otherwise exploit security vulnerabilities. We may also face increased cybersecurity risks due to our reliance on internet technology and our fully remote working environment, which may create additional opportunities for cybercriminals to exploit vulnerabilities. All of these risks are also faced by our significant vendors who are also in possession of sensitive confidential information. Because the techniques used to circumvent, gain access to, or sabotage security systems can be highly sophisticated and change frequently, they often are not recognized until launched against a target, and may originate from less regulated and remote areas around the world. We may be unable to anticipate these techniques or implement adequate preventive measures, resulting in potential data loss and damage to our systems. Our systems are also subject to compromise from internal threats such as improper action by employees, including malicious insiders, or by vendors, counterparties, and other third parties with otherwise legitimate access to our systems. Our policies, employee training (including phishing prevention training), procedures and technical safeguards may not prevent all improper access to our network or proprietary or confidential information by employees, vendors, counterparties, or other third parties. Our facilities may also be vulnerable to security incidents or security attacks, acts of vandalism or theft, misplaced or lost data, human errors, or other similar events that could negatively affect our systems and our and our members’ data. Moreover, we face the ongoing challenge of managing access controls in a complex environment. The process of enhancing our protective measures can itself create a risk of systems disruptions and security issues. Given the breadth of our operations and the increasing sophistication of cyberattacks, a particular incident could occur and persist for an extended period of time before being detected. The extent of a particular cyberattack and the steps that we may need to take to investigate the attack may take a significant amount of time before such an investigation could be completed and full and reliable information about the incident is known. During such time, the extent of any harm or how best to remediate it might not be known, which could further increase the risks, costs, and consequences of a data security incident. In addition, our systems must be routinely updated, patched, and upgraded to protect against known vulnerabilities. The volume of new software vulnerabilities has increased substantially, as has the importance of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be updated. We are at risk that cyber attackers exploit these known vulnerabilities before they have been addressed. The complexity of our systems and platforms, the increased frequency at which vendors are issuing security patches to their products, our need to test patches and, in some instances, coordinate with third parties before they can be deployed, all could further increase our risks. Where doing so is necessary in order to conduct our business, we also provide sensitive personal member information, as well as proprietary or confidential information relating to our business, to our third-party service providers. Although we obtain assurances from those third parties that they have systems and processes in place to protect such data, and that they will take steps to assure the protection of such data by other third parties, those third-party service providers may also be subject to data intrusion or data breach. Any compromise of the confidential data of our members, employees, or business, or the failure to prevent or mitigate the loss of or damage to this data through breach, could result in operational, reputational, competitive, or other business harm, as well as financial costs and regulatory action. The Company maintains cybersecurity insurance in the event of an information security or cyber incident. However, the coverage may not be sufficient to cover all financial losses. In the future, we may be subject to litigation and governmental investigations related to cyber-attacks and security breaches. Any such future litigation or governmental investigation could divert the attention of management from the operation of our business, result in reputational damage, and have a material adverse impact on our business, cash flows, financial condition, and results of operations. Moreover, our programs to detect, contain, and respond to data security incidents as well as contingency plans and insurance coverage for potential liabilities of this nature may not be sufficient to cover all claims and liabilities. Noncompliance with any privacy, security or data protection laws and regulations, or any security breach, cyber-attack or cyber-security breach, and any incident involving the misappropriation, theft, loss or other unauthorized disclosure or use of, or access to, sensitive or confidential information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause membership losses and contract breaches, and could also result in regulatory enforcement actions, material fines and penalties, litigation or other actions that could have a material adverse effect on our business, cash flows, financial condition, and results of operations.

The CISO is responsible for assessing and managing the Company’s material risks from cybersecurity threats. The Company conducts regular risk assessments to identify, evaluate, and prioritize material cybersecurity risks to the Company, including its health plans and state contracts, shared services and IT operations, or business strategy. The risk assessments are informed by various sources of information, such as internal and external audits, vulnerability scans, penetration tests, threat intelligence, incident reports, industry benchmarks, and accepted industry practices. The risk assessments consider the potential impact and likelihood of various cybersecurity threats, such as ransomware, malware, social engineering, third-party incidents, supply chain attacks and insider threats, and contemplates the adequacy of controls to detect, prevent, respond, and recover to reduce the possibility of an adverse material cybersecurity event. The Company has in place processes to identify material risks from cybersecurity threats associated with its use of third-party service providers and as such, conducts assessments of such third-party service providers with respect to their cybersecurity programs and risks and requires third-party service providers to notify the Company if they experienced a cybersecurity incident. The Company hires experienced security professionals to conduct advanced and realistic cybersecurity attack simulations to verify its Program, and conducts regular cybersecurity tabletop exercises with executive management, which are coordinated by a third-party. For a discussion of the Company’s cybersecurity-related risks, see Item 1A of this Form 10-K under the heading “Risk Factors—If we or one of our significant vendors sustain a cyber-attack or suffer data privacy or security breaches that disrupt our information systems or operations, or result in the dissemination of sensitive personal or confidential information, we could suffer increased costs, exposure to significant liability, reputational harm, loss of business, and other serious negative consequences.”

The CISO is responsible for assessing and managing the Company’s material risks from cybersecurity threats. The Company conducts regular risk assessments to identify, evaluate, and prioritize material cybersecurity risks to the Company, including its health plans and state contracts, shared services and IT operations, or business strategy. The risk assessments are informed by various sources of information, such as internal and external audits, vulnerability scans, penetration tests, threat intelligence, incident reports, industry benchmarks, and accepted industry practices. The risk assessments consider the potential impact and likelihood of various cybersecurity threats, such as ransomware, malware, social engineering, third-party incidents, supply chain attacks and insider threats, and contemplates the adequacy of controls to detect, prevent, respond, and recover to reduce the possibility of an adverse material cybersecurity event. The Company has in place processes to identify material risks from cybersecurity threats associated with its use of third-party service providers and as such, conducts assessments of such third-party service providers with respect to their cybersecurity programs and risks and requires third-party service providers to notify the Company if they experienced a cybersecurity incident. The Company hires experienced security professionals to conduct advanced and realistic cybersecurity attack simulations to verify its Program, and conducts regular cybersecurity tabletop exercises with executive management, which are coordinated by a third-party. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

To coordinate care for those who qualify to receive both Medicare and Medicaid services (the “dual eligibles”), under the direction of CMS some states implemented demonstration pilot programs to integrate Medicare and Medicaid services for the dual eligibles. The health plans participating in such demonstrations are referred to as MMPs. Pursuant to the 2023 CMS Medicare Final Rule, which requires MMP plans to end no later than December 2025, the five states in which we operate MMPs – Illinois, Michigan, Ohio, South Carolina, and Texas – have filed transition plans with CMS to move to D-SNPs by January 1, 2026. Illinois and Ohio have included plans to transition to Fully Integrated D-SNPs. Michigan and South Carolina are electing to transition to Highly Integrated D-SNPs. Texas is allowing optionality between a Fully Integrated D-SNP and a Highly Integrated D-SNP. The RFP award for Illinois is still pending. The economic impact of such transitions to D-SNP on our premium revenue is uncertain. Moreover, many states are now requiring Medicare to be offered by a health plan if that health plan is awarded a Medicaid contract. These new requirements could impact our readiness status or eligibility under certain state Medicaid programs or contracts. Further, the Star Rating System utilized by CMS to evaluate Medicare plans may have a significant effect on our revenue, as higher-rated plans tend to experience increased enrollment and plans with a Star rating of 4.0 or higher are eligible for quality-based bonus payments. Those Medicare plans that achieve less than a 3.0 Star rating for either part C or D for three consecutive years are issued a notice of non-renewal of their contract for the following year. If we do not maintain our Star ratings above 3.0 or continue to improve our Star ratings, fail to meet or exceed our competitors’ Star ratings, or if quality-based bonus payments are reduced or eliminated, we may experience a negative impact on our revenues and the benefits that our plans can offer, which could materially and adversely affect the marketability of our plans, our membership levels, results of operations, financial condition, and cash flows. Similarly, if we fail to meet or exceed any performance standards imposed by state Medicaid programs in which we participate, we may not receive performance-based bonus payments, we may incur penalties, or we may lose our Medicaid contract which may also result in a loss to our Medicare contract if it is a HIDE or FIDE D-SNP. We are periodically subject to government audits, including CMS RADV audits of our Medicare D-SNP plans to validate diagnostic data, patient claims, and financial reporting. These audits could result in significant adjustments in payments made to our health plans, particularly if it is an audit which involves extrapolation, which could adversely affect our financial condition and results of operations. If errors are identified during a RADV audit, or it is otherwise determined that we fail to comply with applicable laws and regulations, we could be subject to fines, civil penalties or other sanctions, which could have a material adverse effect on our ability to participate in these programs, and on our financial condition, cash flows and results of operations. In addition, if a D-SNP or MMP plan pays minimum medical loss ratio (“MLR”) rebates for three consecutive years, such plan will become ineligible to enroll new members.

To coordinate care for those who qualify to receive both Medicare and Medicaid services (the “dual eligibles”), under the direction of CMS some states implemented demonstration pilot programs to integrate Medicare and Medicaid services for the dual eligibles. The health plans participating in such demonstrations are referred to as MMPs. Pursuant to the 2023 CMS Medicare Final Rule, which requires MMP plans to end no later than December 2025, the five states in which we operate MMPs – Illinois, Michigan, Ohio, South Carolina, and Texas – have filed transition plans with CMS to move to D-SNPs by January 1, 2026. Illinois and Ohio have included plans to transition to Fully Integrated D-SNPs. Michigan, South Carolina, and Texas are electing to transition to Highly Integrated D-SNPs. We anticipate states to release procurements to contract with D-SNPs in 2024. The economic impact of such transitions to D-SNP on our premium revenue is uncertain at this point. Moreover, both states and CMS are requiring increasing integration of Medicare and Medicaid programmatic and compliance obligations. Medicare requirements developed by CMS, which were formerly entirely federal in nature, are now being extended to or incorporated into state-administered Medicaid programs. These new state-based requirements could impact our readiness status or eligibility under certain state Medicaid programs or contracts. Further, the Star Rating System utilized by CMS to evaluate Medicare plans may have a significant effect on our revenue, as higher-rated plans tend to experience increased enrollment and plans with a Star rating of 4.0 or higher are eligible for quality-based bonus payments. Beginning in 2016, those Medicare plans that achieve less than a 3.0 Star rating for three consecutive years will be issued a notice of non-renewal of their contract for the following year. If we do not maintain our Star ratings above 3.0 or continue to improve our Star ratings, fail to meet or exceed our competitors’ Star ratings, or if quality-based bonus payments are reduced or eliminated, we may experience a negative impact on our revenues and the benefits that our plans can offer, which could materially and adversely affect the marketability of our plans, our membership levels, results of operations, financial condition, and cash flows. Similarly, if we fail to meet or exceed any performance standards imposed by state Medicaid programs in which we participate, we may not receive performance-based bonus payments, may incur penalties, or lose our Medicaid contract. We are periodically subject to government audits, including CMS RADV audits of our Medicare D-SNP plans to validate diagnostic data, patient claims, and financial reporting. These audits could result in significant adjustments in payments made to our health plans, which could adversely affect our financial condition and results of operations. If we fail to report and correct errors discovered through our own auditing procedures or during a RADV audit, or otherwise fail to comply with applicable laws and regulations, we could be subject to fines, civil penalties or other sanctions, which could have a material adverse effect on our ability to participate in these programs, and on our financial condition, cash flows and results of operations. In addition, if a D-SNP or MMP plan pays minimum MLR rebates for three consecutive years, such plan will become ineligible to enroll new members.

During the COVID-19 pandemic, Medicaid enrollment across the country, as well as our enrollment, grew substantially compared to before the pandemic. Beginning April 1, 2023, broad-based Medicaid eligibility redeterminations commenced, and are now almost entirely completed. We lost approximately 675,000 members due to redeterminations. Periodic redeterminations on a state by state basis will now resume as before the pandemic. Actuarial assumptions related to the health acuity of remaining members may continue to be difficult to predict or may be inaccurate, resulting in inaccurate rates to be paid to health plans. Errors in our estimates related to redeterminations, and actuarial errors related to the acuity of Medicaid members, may impact our business, financial condition, cash flows, or results of operations.

During the COVID-19 pandemic, Medicaid enrollment across the country, as well as our enrollment, grew substantially compared to before the pandemic. Beginning April 1, 2023, Medicaid eligibility redeterminations commenced, and are expected to be concluded by June 2024. The total number of Medicaid enrollees who may be disenrolled during the unwinding period is uncertain. In 2023, we estimate we lost approximately 500,000 members due to redeterminations (offset by new enrollment), and we expect to lose an additional 100,000 members in 2024. Based on our experience to date, we expect that we will retain approximately 40% of the new Medicaid enrollees who joined our health plans during the pendency of the PHE. However, this expectation is subject to a number of uncertain variables and assumptions. Moreover, actuarial assumptions related to the health acuity of the remaining members may become more difficult to predict or may be inaccurate, resulting in inaccurate rates to be paid to health plans. Errors in our estimates related to redeterminations and disenrollment, and actuarial errors related to the acuity of Medicaid members may materially impact our business, financial condition, cash flows, and results of operations.

In the past, the securities and credit markets have experienced extreme volatility and disruption. The availability of credit, from virtually all types of lenders, has at times been restricted. In the event we need access to additional capital to pay our operating expenses, fund subsidiary surplus requirements, make payments on or refinance our indebtedness, pay capital expenditures, or fund acquisitions, our ability to obtain such capital may be limited and the cost of any such capital may be significant, particularly if we are unable to access our existing revolving credit facility. Our access to additional financing will depend on a variety of factors such as prevailing economic and credit market conditions, the general availability of credit, the overall availability of credit to our industry, our credit ratings and credit capacity, and perceptions of our financial prospects. Similarly, our access to funds may be impaired if regulatory authorities or rating agencies take negative actions against us. If one or any combination of these factors were to occur, our internal sources of liquidity may prove to be insufficient, and in such case, we may not be able to successfully obtain sufficient additional financing on favorable terms, within an acceptable time, or at all.

In the past, the securities and credit markets have experienced extreme volatility and disruption. The availability of credit, from virtually all types of lenders, has at times been restricted. In the event we need access to additional capital to pay our operating expenses, fund subsidiary surplus requirements, make payments on or refinance our indebtedness, pay capital expenditures, or fund acquisitions, our ability to obtain such capital may be limited and the cost of any such capital may be significant, particularly if we are unable to access our existing revolving credit facility. Our access to additional financing will depend on a variety of factors such as prevailing economic and credit market conditions, the general availability of credit, the overall availability of credit to our industry, our credit ratings and credit capacity, and perceptions of our financial prospects. Similarly, our access to funds may be impaired if regulatory authorities or rating agencies take negative actions against us. If one or any combination of these factors were to occur, our internal sources of liquidity may prove to be insufficient, and in such case, we may not be able to successfully obtain sufficient additional financing on favorable terms, within an acceptable time, or at all. We are party to a credit agreement (the “Credit Agreement”) which includes a revolving credit facility (“Credit Facility”) of $1.0 billion, among other provisions. Our Credit Agreement, and the indentures governing our notes, require us to comply with various covenants that impose restrictions on our operations, including our ability to incur additional indebtedness, create liens, pay dividends, make certain investments or other restricted payments, sell or otherwise dispose of substantially all of our assets and engage in other activities. Our Credit Agreement also requires us to comply with a maximum consolidated net leverage ratio and a minimum consolidated interest coverage ratio. These restrictive covenants could limit our ability to pursue our business strategies. In addition, any failure by us to comply with these restrictive covenants could result in an event of default under the Credit Agreement and, in some circumstances, under the indentures governing our notes, which, in any case, could have a material adverse effect on our financial condition.

We offer Marketplace plans in many of the states where we offer Medicaid health plans. In 2025, we are participating in the Marketplace in all our markets except Arizona, Iowa, Massachusetts, Nebraska, New York, and Virginia. Our Marketplace plans allow our Medicaid members to stay with their providers as they transition between Medicaid and the Marketplace. Additionally, our plans remove financial barriers to quality care and seek to minimize members' out-of-pocket expenses. We develop each state’s Marketplace premium rates during the spring of each year for policies effective in the following calendar year. Premium rates are based on our estimates of utilization of services and unit costs, anticipated member risk acuity and related federal risk adjustment transfer amounts, and non-benefit expenses such as administrative costs, taxes, and fees. In the year ended December 31, 2024, Marketplace program PMPM premium rates ranged from $400 to $1,980. Marketplace plan selection by members is highly price sensitive, and the Marketplace markets in general are highly volatile and unpredictable from year to year. Most of our Marketplace members are eligible to receive government-subsidized premium subsidies. These subsidies are currently scheduled to expire at the end of 2025. Any variation from our cost expectations regarding acuity, enrollment levels, adverse selection, or other assumptions utilized in setting premium rates, could have a material adverse effect on our results of operations, financial position, and cash flows. In addition, the non-renewal of Marketplace premium subsidies starting in 2026 could negatively impact our Marketplace enrollment.

We offer Marketplace plans in many of the states where we offer Medicaid health plans. In 2024, we are participating in the Marketplace in all our markets except for Arizona, Iowa, Massachusetts, Nebraska, New York, and Virginia. Our Marketplace plans allow our Medicaid members to stay with their providers as they transition between Medicaid and the Marketplace. Additionally, our plans remove financial barriers to quality care and seek to minimize members' out-of-pocket expenses. We develop each state’s Marketplace premium rates during the spring of each year for policies effective in the following calendar year. Premium rates are based on our estimates of utilization of services and unit costs, anticipated member risk acuity and related federal risk adjustment transfer amounts, and non-benefit expenses such as administrative costs, taxes, and fees. In the year ended December 31, 2023, Marketplace program PMPM premium rates ranged from $270 to $1,140. Marketplace plan selection by members is highly price sensitive, and the Marketplace markets in general are highly volatile and unpredictable from year to year. Any variation from our cost expectations regarding acuity, enrollment levels, adverse selection, or other assumptions utilized in setting premium rates, could have a material adverse effect on our results of operations, financial position, and cash flows.

State and federal laws and regulations including, but not limited to, the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act, and all regulations promulgated thereunder (collectively, “HIPAA”), the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), and the Gramm-Leach-Bliley Act (“GLBA”), govern the collection, dissemination, use, privacy, confidentiality, security, availability, and integrity of personally identifiable information (“PII”), including protected health information (“PHI”). HIPAA establishes basic privacy and security standards for protection of PHI by covered entities and business associates, including health plans such as ours. HIPAA requires covered entities like us to develop and maintain policies and procedures regarding PHI, and to adopt administrative, physical, and technical safeguards to protect PHI. HIPAA violations may result in significant civil or criminal penalties. HIPAA authorizes state attorneys general to file suit under HIPAA on behalf of state residents. Courts can award damages, costs, and attorneys’ fees related to violations of HIPAA in such cases. We have experienced HIPAA breaches in the past, including breaches affecting over 500 individuals. The GLBA regulates, among other things, the use of certain information about individuals (“non-public personal information”) in the context of the provision of financial services, including by banks and other financial institutions. The GLBA includes both a “Privacy Rule,” which imposes obligations on financial institutions relating to the use or disclosure of non-public personal information, and a “Safeguards Rule,” which imposes obligations on financial institutions and, indirectly, their service providers to implement and maintain physical, administrative and technological measures to protect the security of non-public personal financial information. Any failure to comply with the GLBA could result in substantial financial penalties. Even when HIPAA and the GLBA do not apply, we are still subject to requirements imposed by U.S. states and the federal government. For example, the FTC expects a company’s data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. In addition, certain state laws govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways, thus complicating compliance efforts. For example, California enacted the CCPA, which became effective on January 1, 2020. The CCPA, among other things, created data privacy obligations for covered companies and provides new privacy rights to California residents, including the right to opt out of certain disclosures of their information. The CCPA also created a private right of action with statutory damages for certain data breaches, thereby potentially increasing risks associated with a data breach. Similar laws have gone into effect or have been proposed in many other states and at the federal level as well. If we or one or more of our vendors does not comply with existing or new laws and regulations related to PHI, PII, or non-public personal information, we could be subject to criminal or civil sanctions. Any security breach involving the misappropriation, loss, or other unauthorized disclosure or use of confidential member information, whether by us or by our vendors, could subject us to civil and criminal penalties, divert management’s time and energy, and have a material adverse effect on our business, financial condition, cash flows, or results of operations. It is possible that new laws, regulations and other requirements, or amendments to or changes in interpretations of existing laws, regulations and other requirements, may require us to incur significant costs, implement new processes, or change our handling of information and business operations, which could ultimately hinder our ability to grow our business by extracting value from our data assets. In addition, any failure or perceived failure by us to comply with laws, regulations and other requirements relating to the privacy, security and handling of information could result in legal claims or proceedings (including class actions), regulatory investigations or enforcement actions. We could incur significant costs in investigating and defending such claims and, if found liable, pay significant damages or fines or be required to make changes to our business. These proceedings and any subsequent adverse outcomes may subject us to significant negative publicity. If any of these events were to occur, our business, results of operations, and financial condition could be materially adversely affected.

State and federal laws and regulations including, but not limited to, the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act, and all regulations promulgated thereunder (collectively, “HIPAA”), the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), and the Gramm-Leach-Bliley Act, govern the collection, dissemination, use, privacy, confidentiality, security, availability, and integrity of personally identifiable information (“PII”), including protected health information (“PHI”). HIPAA establishes basic national privacy and security standards for protection of PHI by covered entities and business associates, including health plans such as ours. HIPAA requires covered entities like us to develop and maintain policies and procedures regarding PHI, and to adopt administrative, physical, and technical safeguards to protect PHI. HIPAA violations may result in significant civil penalties. HIPAA authorizes state attorneys general to file suit under HIPAA on behalf of state residents. Courts can award damages, costs, and attorneys’ fees related to violations of HIPAA in such cases. We have experienced HIPAA breaches in the past, including breaches affecting over 500 individuals. Even when HIPAA does not apply, according to the Federal Trade Commission (the “FTC”), failing to take appropriate steps to keep consumers’ personal information secure constitutes unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). The FTC expects a company’s data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. The FTC’s guidance for appropriately securing consumers’ personal information is similar to what is required by the HIPAA security regulations. In addition, certain state laws govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways, thus complicating compliance efforts. For example, California enacted the CCPA, which became effective on January 1, 2020. The CCPA, among other things, creates new data privacy obligations for covered companies and provides new privacy rights to California residents, including the right to opt out of certain disclosures of their information. The CCPA also creates a private right of action with statutory damages for certain data breaches, thereby potentially increasing risks associated with a data breach. On January 1, 2023, the CPRA, which is the successor legislation to the CCPA, became effective. The CPRA amends and expands the CCPA, creating new privacy obligations, consumer privacy rights and enforcement mechanisms. If we or one or more of our significant vendors do not comply with existing or new laws and regulations related to PHI, PII, or non-public information, we could be subject to criminal or civil sanctions. Any security breach involving the misappropriation, loss, or other unauthorized disclosure or use of confidential member information, whether by us or by our vendors, could subject us to civil and criminal penalties, divert management’s time and energy, and have a material adverse effect on our business, financial condition, cash flows, or results of operations.

We currently spread the cost of centralized services over a large revenue base. Many of our administrative costs are fixed in nature and will be incurred at the same level regardless of the size of our revenue base. If we lose contracts that constitute a significant amount of our revenue, we may not be able to reduce the expense of centralized services in a manner that is proportional to that loss of revenue. In such circumstances, not only will our total dollar margins decline, but our percentage margins, measured as a percentage of revenue, will also decline. This loss of cost efficiency or cost leverage, and the resulting stranded administrative costs, could have a material and adverse impact on our business, financial condition, cash flows, or results of operations.

We currently spread the cost of centralized services over a large revenue base. Many of our administrative costs are fixed in nature and will be incurred at the same level regardless of the size of our revenue base. If we lose contracts that constitute a significant amount of our revenue, we may not be able to reduce the expense of centralized services in a manner that is proportional to that loss of revenue. In such circumstances, not only will our total dollar margins decline, but our percentage margins, measured as a percentage of revenue, will also decline. This loss of cost efficiency or cost leverage, and the resulting stranded administrative costs, could have a material and adverse impact on our business, financial condition, cash flows, or results of operations.

As part of our operating efficiencies, we are making appreciable investments in certain AI administrative tools and initiatives to enhance our operations and to save costs. The development and use of AI technologies is still in its early stages. There are risks associated with the development and deployment of AI, and there can be no assurance that the usage of AI will enhance our operations or reduce our operational costs. Our AI-related efforts may give rise to risks related to accuracy, bias, discrimination, intellectual property rights and infringement, data privacy, and cybersecurity, among others. In addition, these risks include the possibility of new, changing, or enhanced governmental or regulatory scrutiny, litigation, other legal liability, ethical concerns, negative consumer perceptions as to automation and AI, or other complications that could adversely affect our business, reputation, or financial results. In the United States, there has been uncertainty regarding the applicable regulations that will apply to the development and use of AI technologies. For instance, in January 2025, the Trump administration rescinded an executive order relating to the safe and secure development of AI that was previously implemented by the Biden administration. The Trump administration then issued a new interim executive order that, among other things, requires certain agencies to specifically renew and, if possible, rescind rulemaking taken pursuant to the rescinded Biden executive order. Any such changes at the federal level could require us to expend significant resources to modify our products, services, or operations to ensure compliance or remain competitive. As a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet completely determine the impact future laws, regulations, standards, or market perception of their requirements may have on our business and may not always be able to anticipate how to respond to these laws or regulations. Therefore, it is not possible to predict all of the risks and potentially unintended consequences related to the use of AI by vendors, third-party developers, or the Company.

As part of our operating efficiencies, we are making appreciable investments in certain AI administrative tools and initiatives to enhance our operations and to save costs. There are risks associated with the development and deployment of AI, and there can be no assurance that the usage of AI will enhance our operations or reduce our operational costs. Our AI-related efforts may give rise to risks related to accuracy, bias, discrimination, intellectual property infringement, data privacy, and cybersecurity, among others. In addition, these risks include the possibility of new or enhanced governmental or regulatory scrutiny, litigation, or other legal liability, ethical concerns, negative consumer perceptions as to automation and AI, or other complications that could adversely affect our business, reputation, or financial results. The development and use of AI technologies is still in its early stages. Thus, it is not possible to predict all of the risks and potentially unintended consequences related to the use of AI by vendors, third-party developers, or the Company.