high match confidence
Sentence-level differences:
- Reworded sentence: "As part of our normal operations, we and certain of our third-party service providers routinely collect, process, store (both onsite and in the cloud), and transmit large amounts of data, including sensitive Personal Information as well as proprietary or confidential information relating to our members, employees, business, or other third parties (collectively, “Confidential Information”)."
- Reworded sentence: "These same risks are also faced by our significant vendors who are also in possession of sensitive Confidential Information."
- Reworded sentence: "We may be unable to anticipate these techniques, which can circumvent security controls, evade detection and remove forensic evidence, or implement adequate preventive measures, resulting in potential inappropriate access, breach, or data loss and damage to our IT Systems, Confidential Information, or business."
- Reworded sentence: "In addition, our IT Systems must be routinely updated, patched, and upgraded to protect against identified vulnerabilities."
- Reworded sentence: "We are at risk that cyber attackers exploit these known vulnerabilities before they have been comprehensively addressed, leading to significant compromises that could impact our and our customers’ IT Systems and data."
Current (2026):
As part of our normal operations, we and certain of our third-party service providers routinely collect, process, store (both onsite and in the cloud), and transmit large amounts of data, including sensitive Personal Information as well as proprietary or confidential information…
Read full text
As part of our normal operations, we and certain of our third-party service providers routinely collect, process, store (both onsite and in the cloud), and transmit large amounts of data, including sensitive Personal Information as well as proprietary or confidential information relating to our members, employees, business, or other third parties (collectively, “Confidential Information”). Additionally, we rely on computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations that are critical to our business (collectively, “IT Systems”). We own and manage some of these IT Systems but also rely on third parties for a range of IT Systems and related products and services, including but not limited to cloud computing services. We and our third-party suppliers and service providers face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity and availability of IT Systems and Confidential Information, including from diverse threat actors, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of malicious code embedded in open-source software, or misconfigurations, bugs or other vulnerabilities in commercial software that is integrated into our (or our suppliers’ or service providers’) IT Systems, products or services. Such threats may result in the penetration of our network or that of our vendors or suppliers, and the misappropriation of our Confidential Information, system disruptions, damage to our information systems, or shutdowns of our information technology environment. They also may be able to develop and deploy viruses, worms, and other malicious software programs that attack our systems or otherwise exploit security vulnerabilities. We may also face increased cybersecurity risks due to our reliance on internet technology and our remote working environment, which may create additional opportunities for cybercriminals to exploit vulnerabilities. These same risks are also faced by our significant vendors who are also in possession of sensitive Confidential Information. Because the techniques used to circumvent, gain access to, or sabotage security systems can be highly sophisticated, may use advanced technologies (such as artificial intelligence) and change frequently, they often are not recognized until launched against a target, and may originate from less regulated and remote areas around the world. We may be unable to anticipate these techniques, which can circumvent security controls, evade detection and remove forensic evidence, or implement adequate preventive measures, resulting in potential inappropriate access, breach, or data loss and damage to our IT Systems, Confidential Information, or business. Additionally, any integration of artificial intelligence in our or any service providers’ operations, products or services is expected to pose new or unknown cybersecurity risks and challenges. Our IT Systems are also subject to compromise from internal threats such as improper action by employees, including malicious insiders, or by vendors, counterparties, and other third parties with otherwise legitimate access to our systems. We have acquired and may in the future acquire companies that may contain cybersecurity vulnerabilities and/or unsophisticated security measures, which can expose us to cybersecurity, operational, and financial risks. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, employee training (including phishing prevention training), procedures, and technical safeguards will be fully implemented and complied with or effective in preventing all improper access to our IT Systems or Confidential Information by employees, vendors, counterparties, or other third parties. Our facilities and IT Systems, or those of our service providers, may also be vulnerable to security incidents or security attacks, acts of vandalism or theft, misplaced or lost data, human errors, or other similar events that could negatively affect our systems or our members’ data, or could cause interruptions to our operations. Moreover, we face the ongoing challenge of managing access controls in a complex environment. The process of enhancing our protective measures can itself create a risk of systems disruptions and security issues. Given the breadth of our operations and the increasing sophistication of cyberattacks, a particular incident could occur and persist for an extended period of time before being detected. The extent of a particular cyberattack and the steps that we may need to take to investigate the attack may take a significant amount of time before such an investigation could be completed and full and reliable information about the incident is known. During such time, the extent of any harm or how best to remediate it might not be known, which could further increase the risks, costs, and consequences of a data security incident. In addition, our IT Systems must be routinely updated, patched, and upgraded to protect against identified vulnerabilities. The volume of new software vulnerabilities has increased substantially, as has the importance of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be updated. We are at risk that cyber attackers exploit these known vulnerabilities before they have been comprehensively addressed, leading to significant compromises that could impact our and our customers’ IT Systems and data. In other situations, vulnerabilities persist even after we have issued security patches because our customers or third-party service providers may fail to apply patches or update their systems to newer software versions. The complexity of our systems and platforms, the increased frequency at which vendors are issuing security patches to their products, our need to test patches and, in some instances, coordinate with third parties before they can be deployed, all could further increase our risks. Where doing so is necessary in order to conduct our business, we also provide sensitive member Personal Information, as well as Confidential Information relating to our business, to our third-party service providers. Those third-party service providers may also be subject to data intrusions or data breaches. Any compromise of the Confidential Information of our members, employees, or business, or the failure to prevent or mitigate the loss of or damage to this data through breach, could result in operational, reputational, competitive, or other business harm, as well as financial costs and regulatory action. The Company maintains cybersecurity insurance in the event of an information security or cyber incident. However, we cannot guarantee that the coverage will be sufficient to cover all financial losses and liabilities. We and certain of our third-party service providers may experience cyberattacks and other incidents, and we expect such attacks and incidents to continue in varying degrees. In addition, we may also be subject to cyberattacks and other incidents. While to date no incidents have had a material impact on our operations or financial results, we cannot guarantee that material incidents will not occur in the future. Any adverse impact to the availability, integrity or confidentiality of our IT Systems or Confidential Information, or related litigation, and governmental investigations could divert the attention of management from the operation of our business, result in reputational damage, and have a material adverse impact on our business, cash flows, financial condition, and results of operations. Moreover, our programs to detect, contain, and respond to data security incidents as well as contingency plans may not be effective in preventing or mitigating all incidents and insurance coverage for potential liabilities of this nature may not be sufficient to cover all claims and liabilities. Noncompliance with any privacy, security, or data protection laws and regulations, or any security breach, cyber-attack, or cyber-security breach, and any incident involving the misappropriation, theft, loss, or other unauthorized disclosure or use of, or access to, IT Systems or sensitive or Confidential Information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause membership losses and contract breaches, and could also result in regulatory investigations or enforcement actions, material fines and penalties, contractual liquidated damages, litigation or proceedings (such as class actions), or other actions that could have a material adverse effect on our business, cash flows, financial condition, or results of operations.
View prior text (2025)
As part of our normal operations, we routinely collect, process, store (both onsite and in the cloud), and transmit large amounts of data, including sensitive personal information as well as proprietary or confidential information relating to our business or third parties. Our information technology systems and safety control systems that we rely upon are subject to a growing number of threats, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of malicious code embedded in open-source software, or misconfigurations, bugs or other vulnerabilities in commercial software that is integrated into our (or our suppliers’ or service providers’) IT systems, products or services. Such threats may result in the penetration of our network or that of our vendors or suppliers, and the misappropriation of our confidential information, system disruptions, damage to our information systems, or shutdowns of our information technology environment. They also may be able to develop and deploy viruses, worms, and other malicious software programs that attack our systems or otherwise exploit security vulnerabilities. We may also face increased cybersecurity risks due to our reliance on internet technology and our remote working environment, which may create additional opportunities for cybercriminals to exploit vulnerabilities. These same risks are also faced by our significant vendors who are also in possession of sensitive confidential information. Because the techniques used to circumvent, gain access to, or sabotage security systems can be highly sophisticated, may use advanced technologies (such as artificial intelligence) and change frequently, they often are not recognized until launched against a target, and may originate from less regulated and remote areas around the world. We may be unable to anticipate these techniques or implement adequate preventive measures, resulting in potential inappropriate access, breach, or data loss and damage to our systems. Our systems are also subject to compromise from internal threats such as improper action by employees, including malicious insiders, or by vendors, counterparties, and other third parties with otherwise legitimate access to our systems. Our policies, employee training (including phishing prevention training), procedures, and technical safeguards may not prevent all improper access to our network or proprietary or confidential information by employees, vendors, counterparties, or other third parties. Our facilities and IT systems, or those of our service providers, may also be vulnerable to security incidents or security attacks, acts of vandalism or theft, misplaced or lost data, human errors, or other similar events that could negatively affect our systems and our and our members’ data. For example, in July 2024, a software update by CrowdStrike Holdings, Inc. (“CrowdStrike”), a cybersecurity technology company, cause widespread crashes of Windows systems into which it was integrated. Although we did not experience any material impacts as a result of the CrowdStrike software update, we could in the future experience similar third-party software-induced interruptions to our operations. Moreover, we face the ongoing challenge of managing access controls in a complex environment. The process of enhancing our protective measures can itself create a risk of systems disruptions and security issues. Given the breadth of our operations and the increasing sophistication of cyberattacks, a particular incident could occur and persist for an extended period of time before being detected. The extent of a particular cyberattack and the steps that we may need to take to investigate the attack may take a significant amount of time before such an investigation could be completed and full and reliable information about the incident is known. During such time, the extent of any harm or how best to remediate it might not be known, which could further increase the risks, costs, and consequences of a data security incident. In addition, our systems must be routinely updated, patched, and upgraded to protect against known vulnerabilities. The volume of new software vulnerabilities has increased substantially, as has the importance of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be updated. We are at risk that cyber attackers exploit these known vulnerabilities before they have been addressed. The complexity of our systems and platforms, the increased frequency at which vendors are issuing security patches to their products, our need to test patches and, in some instances, coordinate with third parties before they can be deployed, all could further increase our risks. Where doing so is necessary in order to conduct our business, we also provide sensitive personal member information, as well as proprietary or confidential information relating to our business, to our third-party service providers. Those third-party service providers may also be subject to data intrusions or data breaches. For example, in February 2024, Change Healthcare (“CHC”), a major claims processing vendor to Molina, experienced a significant cybersecurity incident and has since notified Molina that certain members’ data has been breached. Though the CHC incident was not material to us, any compromise of the confidential data of our members, employees, or business, or the failure to prevent or mitigate the loss of or damage to this data through breach, could result in operational, reputational, competitive, or other business harm, as well as financial costs and regulatory action. The Company maintains cybersecurity insurance in the event of an information security or cyber incident. However, the coverage may not be sufficient to cover all financial losses. In the future, we may be subject to litigation and governmental investigations related to cyber-attacks and security breaches. Any such future litigation or governmental investigation could divert the attention of management from the operation of our business, result in reputational damage, and have a material adverse impact on our business, cash flows, financial condition, and results of operations. Moreover, our programs to detect, contain, and respond to data security incidents as well as contingency plans and insurance coverage for potential liabilities of this nature may not be sufficient to cover all claims and liabilities. Noncompliance with any privacy, security or data protection laws and regulations, or any security breach, cyber-attack, or cyber-security breach, and any incident involving the misappropriation, theft, loss, or other unauthorized disclosure or use of, or access to, sensitive or confidential information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause membership losses and contract breaches, and could also result in regulatory enforcement actions, material fines and penalties, litigation, or other actions that could have a material adverse effect on our business, cash flows, financial condition, or results of operations.