Molina Healthcare Inc.: 10-K Risk Factor Changes

We currently derive our premium revenues from health plans that operate in 21 states. Our Medicaid premium revenue constituted 75% of our consolidated premium revenue in the year ended December 31, 2025. Measured by Medicaid premium revenue by health plan, our top four health plans were in California, New York, Texas, and Washington, with aggregate Medicaid premium revenue of $17.3 billion, or approximately 54% of total Medicaid premium revenue, in the year ended December 31, 2025. If we are unable to continue to operate in any of our existing jurisdictions, or if our current operations in those jurisdictions or any portions of those jurisdictions are significantly curtailed or terminated entirely, our revenues could decrease materially. Many of our government contracts are effective only for a fixed period of time and will only be extended for an additional period of time if the contracting entity elects to do so. When our government contracts expire, they may be opened for bidding by competing health plans, and there is no guarantee that the contracts will be renewed or extended. Even if our contracts are renewed or extended, there can be no assurance that they will be renewed or extended on the same terms or without a reduction in the applicable service areas. Even if our responsive bids are successful, the bids may be based upon assumptions regarding enrollment, utilization, medical costs, or other factors which could result in the contract being less profitable than we had expected or could result in a net loss. Furthermore, our contracts contain certain provisions regarding, among other things, eligibility, enrollment and dis-enrollment processes for covered services, eligible providers, periodic financial and information reporting, quality assurance and timeliness of claims payment, and are subject to cancellation if we fail to perform in accordance with the standards set by regulatory agencies. The occurrence of any of the foregoing may result in our failing to achieve the full realization of our embedded earnings.

We currently derive our premium revenues from health plans that operate in 21 states. Our Medicaid premium revenue constituted 79% of our consolidated premium revenue in the year ended December 31, 2024. Measured by Medicaid premium revenue by health plan, our top four health plans were in California, New York, Texas, and Washington, with aggregate Medicaid premium revenue of $15.6 billion, or approximately 51% of total Medicaid premium revenue, in the year ended December 31, 2024. If we are unable to continue to operate in any of our existing jurisdictions, or if our current operations in those jurisdictions or any portions of those jurisdictions are significantly curtailed or terminated entirely, our revenues could decrease materially. Many of our government contracts are effective only for a fixed period of time and will only be extended for an additional period of time if the contracting entity elects to do so. When our government contracts expire, they may be opened for bidding by competing health plans, and there is no guarantee that the contracts will be renewed or extended. Even if our contracts are renewed or extended, there can be no assurance that they will be renewed or extended on the same terms or without a reduction in the applicable service areas. Even if our responsive bids are successful, the bids may be based upon assumptions regarding enrollment, utilization, medical costs, or other factors which could result in the contract being less profitable than we had expected or could result in a net loss. Furthermore, our contracts contain certain provisions regarding, among other things, eligibility, enrollment and dis-enrollment processes for covered services, eligible providers, periodic financial and information reporting, quality assurance and timeliness of claims payment, and are subject to cancellation if we fail to perform in accordance with the standards set by regulatory agencies.

The complexity of some of our Medicaid contract provisions, imprecise language in those contracts, the desire of state Medicaid agencies in some circumstances to retroactively adjust the rates that they have paid to us or otherwise recoup premium amounts that we reasonably believed to be final, or state delays in processing rate changes, can create uncertainty around the amount of revenue we should recognize. Any circumstance such as those described above could have a material adverse effect on our business, financial condition, cash flows, or results of operations.

The complexity of some of our Medicaid contract provisions, imprecise language in those contracts, the desire of state Medicaid agencies in some circumstances to retroactively adjust for the acuity of the medical needs of our members, and state delays in processing rate changes, can create uncertainty around the amount of revenue we should recognize. Any circumstance such as those described above could have a material adverse effect on our business, financial condition, cash flows, or results of operations.

As part of our normal operations, we and certain of our third-party service providers routinely collect, process, store (both onsite and in the cloud), and transmit large amounts of data, including sensitive Personal Information as well as proprietary or confidential information relating to our members, employees, business, or other third parties (collectively, “Confidential Information”). Additionally, we rely on computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations that are critical to our business (collectively, “IT Systems”). We own and manage some of these IT Systems but also rely on third parties for a range of IT Systems and related products and services, including but not limited to cloud computing services. We and our third-party suppliers and service providers face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity and availability of IT Systems and Confidential Information, including from diverse threat actors, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of malicious code embedded in open-source software, or misconfigurations, bugs or other vulnerabilities in commercial software that is integrated into our (or our suppliers’ or service providers’) IT Systems, products or services. Such threats may result in the penetration of our network or that of our vendors or suppliers, and the misappropriation of our Confidential Information, system disruptions, damage to our information systems, or shutdowns of our information technology environment. They also may be able to develop and deploy viruses, worms, and other malicious software programs that attack our systems or otherwise exploit security vulnerabilities. We may also face increased cybersecurity risks due to our reliance on internet technology and our remote working environment, which may create additional opportunities for cybercriminals to exploit vulnerabilities. These same risks are also faced by our significant vendors who are also in possession of sensitive Confidential Information. Because the techniques used to circumvent, gain access to, or sabotage security systems can be highly sophisticated, may use advanced technologies (such as artificial intelligence) and change frequently, they often are not recognized until launched against a target, and may originate from less regulated and remote areas around the world. We may be unable to anticipate these techniques, which can circumvent security controls, evade detection and remove forensic evidence, or implement adequate preventive measures, resulting in potential inappropriate access, breach, or data loss and damage to our IT Systems, Confidential Information, or business. Additionally, any integration of artificial intelligence in our or any service providers’ operations, products or services is expected to pose new or unknown cybersecurity risks and challenges. Our IT Systems are also subject to compromise from internal threats such as improper action by employees, including malicious insiders, or by vendors, counterparties, and other third parties with otherwise legitimate access to our systems. We have acquired and may in the future acquire companies that may contain cybersecurity vulnerabilities and/or unsophisticated security measures, which can expose us to cybersecurity, operational, and financial risks. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, employee training (including phishing prevention training), procedures, and technical safeguards will be fully implemented and complied with or effective in preventing all improper access to our IT Systems or Confidential Information by employees, vendors, counterparties, or other third parties. Our facilities and IT Systems, or those of our service providers, may also be vulnerable to security incidents or security attacks, acts of vandalism or theft, misplaced or lost data, human errors, or other similar events that could negatively affect our systems or our members’ data, or could cause interruptions to our operations. Moreover, we face the ongoing challenge of managing access controls in a complex environment. The process of enhancing our protective measures can itself create a risk of systems disruptions and security issues. Given the breadth of our operations and the increasing sophistication of cyberattacks, a particular incident could occur and persist for an extended period of time before being detected. The extent of a particular cyberattack and the steps that we may need to take to investigate the attack may take a significant amount of time before such an investigation could be completed and full and reliable information about the incident is known. During such time, the extent of any harm or how best to remediate it might not be known, which could further increase the risks, costs, and consequences of a data security incident. In addition, our IT Systems must be routinely updated, patched, and upgraded to protect against identified vulnerabilities. The volume of new software vulnerabilities has increased substantially, as has the importance of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be updated. We are at risk that cyber attackers exploit these known vulnerabilities before they have been comprehensively addressed, leading to significant compromises that could impact our and our customers’ IT Systems and data. In other situations, vulnerabilities persist even after we have issued security patches because our customers or third-party service providers may fail to apply patches or update their systems to newer software versions. The complexity of our systems and platforms, the increased frequency at which vendors are issuing security patches to their products, our need to test patches and, in some instances, coordinate with third parties before they can be deployed, all could further increase our risks. Where doing so is necessary in order to conduct our business, we also provide sensitive member Personal Information, as well as Confidential Information relating to our business, to our third-party service providers. Those third-party service providers may also be subject to data intrusions or data breaches. Any compromise of the Confidential Information of our members, employees, or business, or the failure to prevent or mitigate the loss of or damage to this data through breach, could result in operational, reputational, competitive, or other business harm, as well as financial costs and regulatory action. The Company maintains cybersecurity insurance in the event of an information security or cyber incident. However, we cannot guarantee that the coverage will be sufficient to cover all financial losses and liabilities. We and certain of our third-party service providers may experience cyberattacks and other incidents, and we expect such attacks and incidents to continue in varying degrees. In addition, we may also be subject to cyberattacks and other incidents. While to date no incidents have had a material impact on our operations or financial results, we cannot guarantee that material incidents will not occur in the future. Any adverse impact to the availability, integrity or confidentiality of our IT Systems or Confidential Information, or related litigation, and governmental investigations could divert the attention of management from the operation of our business, result in reputational damage, and have a material adverse impact on our business, cash flows, financial condition, and results of operations. Moreover, our programs to detect, contain, and respond to data security incidents as well as contingency plans may not be effective in preventing or mitigating all incidents and insurance coverage for potential liabilities of this nature may not be sufficient to cover all claims and liabilities. Noncompliance with any privacy, security, or data protection laws and regulations, or any security breach, cyber-attack, or cyber-security breach, and any incident involving the misappropriation, theft, loss, or other unauthorized disclosure or use of, or access to, IT Systems or sensitive or Confidential Information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause membership losses and contract breaches, and could also result in regulatory investigations or enforcement actions, material fines and penalties, contractual liquidated damages, litigation or proceedings (such as class actions), or other actions that could have a material adverse effect on our business, cash flows, financial condition, or results of operations.

As part of our normal operations, we routinely collect, process, store (both onsite and in the cloud), and transmit large amounts of data, including sensitive personal information as well as proprietary or confidential information relating to our business or third parties. Our information technology systems and safety control systems that we rely upon are subject to a growing number of threats, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of malicious code embedded in open-source software, or misconfigurations, bugs or other vulnerabilities in commercial software that is integrated into our (or our suppliers’ or service providers’) IT systems, products or services. Such threats may result in the penetration of our network or that of our vendors or suppliers, and the misappropriation of our confidential information, system disruptions, damage to our information systems, or shutdowns of our information technology environment. They also may be able to develop and deploy viruses, worms, and other malicious software programs that attack our systems or otherwise exploit security vulnerabilities. We may also face increased cybersecurity risks due to our reliance on internet technology and our remote working environment, which may create additional opportunities for cybercriminals to exploit vulnerabilities. These same risks are also faced by our significant vendors who are also in possession of sensitive confidential information. Because the techniques used to circumvent, gain access to, or sabotage security systems can be highly sophisticated, may use advanced technologies (such as artificial intelligence) and change frequently, they often are not recognized until launched against a target, and may originate from less regulated and remote areas around the world. We may be unable to anticipate these techniques or implement adequate preventive measures, resulting in potential inappropriate access, breach, or data loss and damage to our systems. Our systems are also subject to compromise from internal threats such as improper action by employees, including malicious insiders, or by vendors, counterparties, and other third parties with otherwise legitimate access to our systems. Our policies, employee training (including phishing prevention training), procedures, and technical safeguards may not prevent all improper access to our network or proprietary or confidential information by employees, vendors, counterparties, or other third parties. Our facilities and IT systems, or those of our service providers, may also be vulnerable to security incidents or security attacks, acts of vandalism or theft, misplaced or lost data, human errors, or other similar events that could negatively affect our systems and our and our members’ data. For example, in July 2024, a software update by CrowdStrike Holdings, Inc. (“CrowdStrike”), a cybersecurity technology company, cause widespread crashes of Windows systems into which it was integrated. Although we did not experience any material impacts as a result of the CrowdStrike software update, we could in the future experience similar third-party software-induced interruptions to our operations. Moreover, we face the ongoing challenge of managing access controls in a complex environment. The process of enhancing our protective measures can itself create a risk of systems disruptions and security issues. Given the breadth of our operations and the increasing sophistication of cyberattacks, a particular incident could occur and persist for an extended period of time before being detected. The extent of a particular cyberattack and the steps that we may need to take to investigate the attack may take a significant amount of time before such an investigation could be completed and full and reliable information about the incident is known. During such time, the extent of any harm or how best to remediate it might not be known, which could further increase the risks, costs, and consequences of a data security incident. In addition, our systems must be routinely updated, patched, and upgraded to protect against known vulnerabilities. The volume of new software vulnerabilities has increased substantially, as has the importance of patches and other remedial measures. In addition to remediating newly identified vulnerabilities, previously identified vulnerabilities must also be updated. We are at risk that cyber attackers exploit these known vulnerabilities before they have been addressed. The complexity of our systems and platforms, the increased frequency at which vendors are issuing security patches to their products, our need to test patches and, in some instances, coordinate with third parties before they can be deployed, all could further increase our risks. Where doing so is necessary in order to conduct our business, we also provide sensitive personal member information, as well as proprietary or confidential information relating to our business, to our third-party service providers. Those third-party service providers may also be subject to data intrusions or data breaches. For example, in February 2024, Change Healthcare (“CHC”), a major claims processing vendor to Molina, experienced a significant cybersecurity incident and has since notified Molina that certain members’ data has been breached. Though the CHC incident was not material to us, any compromise of the confidential data of our members, employees, or business, or the failure to prevent or mitigate the loss of or damage to this data through breach, could result in operational, reputational, competitive, or other business harm, as well as financial costs and regulatory action. The Company maintains cybersecurity insurance in the event of an information security or cyber incident. However, the coverage may not be sufficient to cover all financial losses. In the future, we may be subject to litigation and governmental investigations related to cyber-attacks and security breaches. Any such future litigation or governmental investigation could divert the attention of management from the operation of our business, result in reputational damage, and have a material adverse impact on our business, cash flows, financial condition, and results of operations. Moreover, our programs to detect, contain, and respond to data security incidents as well as contingency plans and insurance coverage for potential liabilities of this nature may not be sufficient to cover all claims and liabilities. Noncompliance with any privacy, security or data protection laws and regulations, or any security breach, cyber-attack, or cyber-security breach, and any incident involving the misappropriation, theft, loss, or other unauthorized disclosure or use of, or access to, sensitive or confidential information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause membership losses and contract breaches, and could also result in regulatory enforcement actions, material fines and penalties, litigation, or other actions that could have a material adverse effect on our business, cash flows, financial condition, or results of operations.

To coordinate care for those who qualify to receive both Medicare and Medicaid services (the “dual eligibles”), under the direction of CMS some states implemented demonstration pilot programs to integrate Medicare and Medicaid services for the dual eligibles. The health plans participating in such demonstrations are referred to as MMPs. Pursuant to the 2023 CMS Medicare Final Rule, which requires MMP plans to end no later than December 2025, the five states in which we operate MMPs – Illinois, Michigan, Ohio, South Carolina, and Texas – transitioned their current MMP contracts to integrated D-SNP contracts on January 1, 2026. The economic impact of such transitions to D-SNP on our premium revenues is uncertain. Moreover, many states are now requiring Medicare to be offered by a health plan if that health plan is awarded a Medicaid contract. These new requirements could impact our readiness status or eligibility under certain state Medicaid programs or contracts. Further, the Star Rating System utilized by CMS to evaluate Medicare plans may have a significant effect on our revenue, as higher-rated plans tend to experience increased enrollment and plans with a Star rating of 4.0 or higher are eligible for quality-based bonus payments. Those Medicare plans that achieve less than a 3.0 Star rating for either part C or D for three consecutive years are issued a notice of non-renewal of their contract for the following year. If we do not maintain our Star ratings above 3.0 or continue to improve our Star ratings, fail to meet or exceed our competitors’ Star ratings, or if quality-based bonus payments are reduced or eliminated, we may experience a negative impact on our revenues and the benefits that our plans can offer, which could materially and adversely affect the marketability of our plans, our membership levels, results of operations, financial condition, or cash flows. Similarly, if we fail to meet or exceed any performance standards imposed by state Medicaid programs in which we participate, we may not receive performance-based bonus payments, we may incur penalties, or we may lose our Medicaid contract which may also result in a loss to our Medicare contract if it is a HIDE or FIDE D-SNP. We are periodically subject to government audits, including CMS RADV audits of our Medicare D-SNP plans to validate diagnostic data, patient claims, and financial reporting. These audits could result in significant adjustments in payments made to our health plans, particularly if it is an audit which involves extrapolation, which could adversely affect our financial condition and results of operations. If errors are identified during a RADV audit, or it is otherwise determined that we fail to comply with applicable laws and regulations, we could be subject to fines, civil penalties, or other sanctions, which could have a material adverse effect on our ability to participate in these programs, and on our financial condition, cash flows, or results of operations. In addition, if a D-SNP or MMP plan pays minimum medical loss ratio (“MLR”) rebates for three consecutive years, such plan will become ineligible to enroll new members.

To coordinate care for those who qualify to receive both Medicare and Medicaid services (the “dual eligibles”), under the direction of CMS some states implemented demonstration pilot programs to integrate Medicare and Medicaid services for the dual eligibles. The health plans participating in such demonstrations are referred to as MMPs. Pursuant to the 2023 CMS Medicare Final Rule, which requires MMP plans to end no later than December 2025, the five states in which we operate MMPs – Illinois, Michigan, Ohio, South Carolina, and Texas – have filed transition plans with CMS to move to D-SNPs by January 1, 2026. Illinois and Ohio have included plans to transition to Fully Integrated D-SNPs. Michigan and South Carolina are electing to transition to Highly Integrated D-SNPs. Texas is allowing optionality between a Fully Integrated D-SNP and a Highly Integrated D-SNP. The RFP award for Illinois is still pending. The economic impact of such transitions to D-SNP on our premium revenue is uncertain. Moreover, many states are now requiring Medicare to be offered by a health plan if that health plan is awarded a Medicaid contract. These new requirements could impact our readiness status or eligibility under certain state Medicaid programs or contracts. Further, the Star Rating System utilized by CMS to evaluate Medicare plans may have a significant effect on our revenue, as higher-rated plans tend to experience increased enrollment and plans with a Star rating of 4.0 or higher are eligible for quality-based bonus payments. Those Medicare plans that achieve less than a 3.0 Star rating for either part C or D for three consecutive years are issued a notice of non-renewal of their contract for the following year. If we do not maintain our Star ratings above 3.0 or continue to improve our Star ratings, fail to meet or exceed our competitors’ Star ratings, or if quality-based bonus payments are reduced or eliminated, we may experience a negative impact on our revenues and the benefits that our plans can offer, which could materially and adversely affect the marketability of our plans, our membership levels, results of operations, financial condition, and cash flows. Similarly, if we fail to meet or exceed any performance standards imposed by state Medicaid programs in which we participate, we may not receive performance-based bonus payments, we may incur penalties, or we may lose our Medicaid contract which may also result in a loss to our Medicare contract if it is a HIDE or FIDE D-SNP. We are periodically subject to government audits, including CMS RADV audits of our Medicare D-SNP plans to validate diagnostic data, patient claims, and financial reporting. These audits could result in significant adjustments in payments made to our health plans, particularly if it is an audit which involves extrapolation, which could adversely affect our financial condition and results of operations. If errors are identified during a RADV audit, or it is otherwise determined that we fail to comply with applicable laws and regulations, we could be subject to fines, civil penalties or other sanctions, which could have a material adverse effect on our ability to participate in these programs, and on our financial condition, cash flows and results of operations. In addition, if a D-SNP or MMP plan pays minimum medical loss ratio (“MLR”) rebates for three consecutive years, such plan will become ineligible to enroll new members.

We are subject to a variety of legal actions that may affect our business, including but not limited to provider claims, employment related claims, breach of contract actions, Qui Tam or False Claims Act actions, Civil Investigative Demands, class actions of various kind, including securities law class actions, derivative actions, administrative matters before government agencies, tort claims, and intellectual property-related litigation. These actions or proceedings could result in substantial costs to us, require management to spend substantial time focused on litigation, result in negative media attention, and may adversely affect our business, reputation, financial condition, results of operations, or cash flows. If we incur liability materially in excess of the amount for which we have insurance coverage, our profitability would suffer.

We are subject to a variety of legal actions that may affect our business, including but not limited to provider claims, employment related disputes and employee benefit claims, breach of contract actions, qui tam or False Claims Act actions, administrative matters before government agencies, tort claims, intellectual property-related litigation, and class actions of various kind. These actions or proceedings could result in substantial costs to us, require management to spend substantial time focused on litigation, result in negative media attention, and may adversely affect our business, reputation, financial condition, results of operations, or cash flows. If we incur liability materially in excess of the amount for which we have insurance coverage, our profitability would suffer.

As part of our operating efficiencies, we are making appreciable investments in certain AI administrative tools and initiatives to enhance our operations and to save costs. The development and use of AI technologies is still in its early stages. There are risks associated with the development and deployment of AI, and there can be no assurance that the usage of AI will enhance our operations or reduce our operational costs. Our AI-related efforts may give rise to risks related to accuracy, bias, discrimination, intellectual property rights and infringement, data privacy, and cybersecurity, among others. In addition, these risks include the possibility of new, changing, or enhanced governmental or regulatory scrutiny, litigation, other legal liability, ethical concerns, negative consumer perceptions as to automation and AI, or other complications that could adversely affect our business, reputation, or financial results. For instance, the California Privacy Protection Agency’s new regulations under the CCPA regarding the use of automated decision-making went into effect on January 1, 2026. California also enacted seventeen new laws in 2024 that further regulate use of AI technologies and provide consumers with additional protections around companies’ use of AI technologies, such as requiring companies to disclose certain uses of generative AI. Other states are also considering AI-focused legislation, which would require developers and deployers of “high-risk” AI systems to implement certain safeguards against algorithmic discrimination. However, there also continues to be uncertainty regarding the enforceability of such regulations and how they will apply to the development and use of AI technologies. For instance, the federal government may seek to preempt state laws when they seek to govern certain topics, as evidenced by the Trump administration’s “Ensuring a National Policy Framework for Artificial Intelligence” Executive Order signed on December 11, 2025. This order calls for federal standards and legislation that would preempt conflicting state AI regulations and create a federal litigation task force focused on challenging state AI laws in court. The Trump administration may continue to implement new or rescind existing federal orders and/or administrative policies relating to AI technologies. Any such changes at the federal level could require us to expend significant resources to modify our products, services, or operations to ensure compliance or remain competitive. As a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet completely determine the impact future laws, regulations, standards, or market perception of their requirements may have on our business and may not always be able to anticipate how to respond to these laws or regulations. Therefore, it is not possible to predict all of the risks and potentially unintended consequences related to the use of AI by vendors, third-party developers, or the Company.

As part of our operating efficiencies, we are making appreciable investments in certain AI administrative tools and initiatives to enhance our operations and to save costs. The development and use of AI technologies is still in its early stages. There are risks associated with the development and deployment of AI, and there can be no assurance that the usage of AI will enhance our operations or reduce our operational costs. Our AI-related efforts may give rise to risks related to accuracy, bias, discrimination, intellectual property rights and infringement, data privacy, and cybersecurity, among others. In addition, these risks include the possibility of new, changing, or enhanced governmental or regulatory scrutiny, litigation, other legal liability, ethical concerns, negative consumer perceptions as to automation and AI, or other complications that could adversely affect our business, reputation, or financial results. In the United States, there has been uncertainty regarding the applicable regulations that will apply to the development and use of AI technologies. For instance, in January 2025, the Trump administration rescinded an executive order relating to the safe and secure development of AI that was previously implemented by the Biden administration. The Trump administration then issued a new interim executive order that, among other things, requires certain agencies to specifically renew and, if possible, rescind rulemaking taken pursuant to the rescinded Biden executive order. Any such changes at the federal level could require us to expend significant resources to modify our products, services, or operations to ensure compliance or remain competitive. As a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet completely determine the impact future laws, regulations, standards, or market perception of their requirements may have on our business and may not always be able to anticipate how to respond to these laws or regulations. Therefore, it is not possible to predict all of the risks and potentially unintended consequences related to the use of AI by vendors, third-party developers, or the Company.

We offer Marketplace plans in many of the states where we offer Medicaid health plans. In 2026, we are participating in the Marketplace in all our markets except Arizona, Iowa, Massachusetts, Michigan, Nebraska, New York, and Wisconsin. Our Marketplace plans allow our Medicaid members to stay with their providers as they transition between Medicaid and the Marketplace. Additionally, our plans remove financial barriers to quality care and seek to minimize members' out-of-pocket expenses. We develop each state’s Marketplace premium rates during the spring of each year for policies effective in the following calendar year. Premium rates are based on our estimates of utilization of services and unit costs, anticipated member risk acuity and related federal risk adjustment transfer amounts, and non-benefit expenses such as administrative costs, taxes, and fees. Marketplace plan selection by members is highly price sensitive, and the Marketplace markets in general are highly volatile and unpredictable from year to year. In recent years, most of our Marketplace members were eligible to receive government-subsidized premium subsidies. Even though certain advanced premium tax credits (“APTCs”) expired at the end of 2025, it is possible that they could be renewed, but the timing of such a decision, and the manner in which they could be renewed, is uncertain. This expiration, as well as any future elimination or reduction of other APTCs or subsidies, could make such coverage unaffordable to some individuals and thereby reduce overall participation in the Marketplace and our membership. These fluctuations could have a significant adverse effect on our business and future operations, and our results of operations and financial condition. Any variation from our cost expectations regarding acuity, enrollment levels, adverse selection, or other assumptions utilized in setting premium rates, could have a material adverse effect on our results of operations, financial position, and cash flows. In addition, the non-renewal of Marketplace premium subsidies starting in 2026 could negatively impact our Marketplace enrollment.

We offer Marketplace plans in many of the states where we offer Medicaid health plans. In 2025, we are participating in the Marketplace in all our markets except Arizona, Iowa, Massachusetts, Nebraska, New York, and Virginia. Our Marketplace plans allow our Medicaid members to stay with their providers as they transition between Medicaid and the Marketplace. Additionally, our plans remove financial barriers to quality care and seek to minimize members' out-of-pocket expenses. We develop each state’s Marketplace premium rates during the spring of each year for policies effective in the following calendar year. Premium rates are based on our estimates of utilization of services and unit costs, anticipated member risk acuity and related federal risk adjustment transfer amounts, and non-benefit expenses such as administrative costs, taxes, and fees. In the year ended December 31, 2024, Marketplace program PMPM premium rates ranged from $400 to $1,980. Marketplace plan selection by members is highly price sensitive, and the Marketplace markets in general are highly volatile and unpredictable from year to year. Most of our Marketplace members are eligible to receive government-subsidized premium subsidies. These subsidies are currently scheduled to expire at the end of 2025. Any variation from our cost expectations regarding acuity, enrollment levels, adverse selection, or other assumptions utilized in setting premium rates, could have a material adverse effect on our results of operations, financial position, and cash flows. In addition, the non-renewal of Marketplace premium subsidies starting in 2026 could negatively impact our Marketplace enrollment.

Our business is extensively regulated by the federal government and the states in which we operate. The laws and regulations governing our operations are generally intended to benefit and protect health plan members and providers rather than managed care organizations. The government agencies administering these laws and regulations have broad latitude in interpreting and applying them. Changes in the interpretation or application of our contracts could reduce our profitability if we have detrimentally relied on a prior interpretation or application. These laws and regulations, along with the terms of our government contracts, regulate how we do business, what services we offer, and how we interact with our members and the public. For instance, some states mandate minimum medical expense levels as a percentage of premium revenues. These laws and regulations, and their interpretations, are subject to frequent change. The interpretation of certain contract provisions by our governmental regulators at the federal and state level may also change. Changes in existing laws or regulations, or their interpretations, or the enactment of new laws or regulations or executive orders, could reduce our profitability by imposing additional capital requirements, increasing our liability, increasing our administrative and other costs, increasing mandated benefits, forcing us to restructure our relationships with providers, requiring us to implement additional or different programs and systems, or making it more difficult to predict future results. Thus, any significant changes in existing health care laws or regulations could materially impact our business, financial condition, cash flows, or results of operations. In particular, the OBBBA enacted several provisions that may impact the number of enrollees in health insurance marketplaces and the size of our member population. The law requires states to establish work requirements and conduct more frequent participant eligibility redeterminations, among other modifications. In addition, the OBBBA may have created a negative public perception that Medicaid services may become unavailable or drastically reduced. Although the full impact of the OBBBA is uncertain at this time, these changes are expected to reduce enrollment in state Medicaid programs. The timing and magnitude of the reductions may vary by state depending on how quickly states implement the changes, how states may adapt their future tax and Medicaid funding policies in response, as well as other macroeconomic factors. In addition, the OBBBA ends the APTCs for individuals who enroll in plans via the special enrollment period with income below 150% of the FPL, prohibiting automatic re-enrollment for tax year 2028, and eliminating APTC eligibility for some formerly covered individuals (such as refugees and other immigrant populations). While we currently estimate that the reduction in enrollment in connection with the OBBBA will be in the range of 15% to 20% by 2029 on 1.2 million members in our Medicaid Expansion population, we cannot predict with certainty the magnitude of the impact on our membership or our business. In addition, the OBBBA also reduces revenues that states can raise through provider taxes to finance their share of Medicaid spending and limits payments to Medicaid providers to 100 percent of the mandated Medicare rate for Expansion states and 110% of the Medicare rate for non-Expansion states. These changes are scheduled to begin in 2028, and we expect they may take 5 to 15 years to be fully implemented. Furthermore, in response to state budget challenges, certain states have implemented spending cuts to Medicaid programs, and there may continue to be proposals that could significantly reduce state spending on their Medicaid programs. The impact of these changes and developments is uncertain and will depend on how states may adapt their future tax and Medicaid funding policies in response.

Our business is extensively regulated by the federal government and the states in which we operate. The laws and regulations governing our operations are generally intended to benefit and protect health plan members and providers rather than managed care organizations. The government agencies administering these laws and regulations have broad latitude in interpreting and applying them. Changes in the interpretation or application of our contracts could reduce our profitability if we have detrimentally relied on a prior interpretation or application. These laws and regulations, along with the terms of our government contracts, regulate how we do business, what services we offer, and how we interact with our members and the public. For instance, some states mandate minimum medical expense levels as a percentage of premium revenues. These laws and regulations, and their interpretations, are subject to frequent change. The interpretation of certain contract provisions by our governmental regulators at the federal and state level may also change. Changes in existing laws or regulations, or their interpretations, or the enactment of new laws or regulations or executive orders, could reduce our profitability by imposing additional capital requirements, increasing our liability, increasing our administrative and other costs, increasing mandated benefits, forcing us to restructure our relationships with providers, requiring us to implement additional or different programs and systems, or making it more difficult to predict future results. Thus, any significant changes in existing health care laws or regulations could materially impact our business, financial condition, cash flows, or results of operations.

Because we receive payments from federal and state governmental agencies, we are subject to various laws commonly referred to as “fraud and abuse” laws, including federal and state anti-kickback statutes, prohibited referrals, and the federal False Claims Act, which permit agencies and enforcement authorities to institute a suit against us for purported violations and, in some cases, to seek treble damages, criminal and civil fines, penalties, and assessments. Violations of these laws can also result in exclusion, debarment, temporary or permanent suspension from participation in government healthcare programs, or the institution of corporate integrity agreements. Liability under such federal and state statutes and regulations may arise if we know, or it is determined that we should have known, that information we provide to form the basis for a claim for government payment is false or fraudulent, and some courts have permitted False Claims Act suits to proceed if the claimant was out of compliance with program requirements. Fraud, waste and abuse prohibitions encompass a wide range of operating activities, including kickbacks or other inducements for referral of members or for the coverage of products (such as prescription drugs) by a plan, billing for unnecessary medical services by a provider, up-coding, payments made to excluded providers, improper marketing, and the violation of patient privacy rights. Companies involved in public health care programs such as Medicaid and Medicare are required to maintain compliance programs to detect and deter fraud, waste, and abuse, and are often the subject of fraud, waste and abuse investigations and audits. The regulations and contractual requirements applicable to participants in these public-sector programs are complex and subject to change. The federal government has taken the position that claims presented in violation of the federal anti-kickback statute may be considered a violation of the federal False Claims Act. In addition, under the federal civil monetary penalty statute, the U.S. Department of Health and Human Services’ Office of Inspector General has the authority to impose civil penalties against any person who, among other things, knowingly presents, or causes to be presented, certain false or otherwise improper claims. Qui tam actions under federal and state law are brought by a private individual, known as a relator, on behalf of the government. A relator who brings a successful qui tam lawsuit can receive 15 to 30 percent of the damages the government recovers from the defendants, which damages are trebled under the False Claims Act. Because of these financial inducements offered to plaintiffs, qui tam actions have increased significantly in recent years, causing greater numbers of healthcare companies to incur the costs of having to defend against false claims actions, including the costs associated with responding to exploratory Civil Investigative Demands brought by the government, many of which are spurious and without merit. In addition, false claims actions could result in fines or debarment from the Medicaid, Medicare, or other state or federal healthcare programs. If we are subject to liability under a qui tam or other actions, our business, financial condition, cash flows, or results of operations could be adversely affected. Even if we are successful in defending qui tam actions against us, the fact that these actions were filed against us, even if ultimately determined to be without merit, could result in expensive defense costs, and also could have an adverse impact on our reputation and our ability to obtain regulatory approval for acquisitions that we may pursue. Our use and disclosure of personal information and other non-public information, including protected health information, is subject to federal and state laws, regulations, and requirements relating to the privacy, security, and processing of personal information, and any actual or perceived failure by us or our third-party service providers to comply with those ever-evolving regulations or to adequately secure the information we hold may result in significant liability, negative publicity, and/or an erosion of trust, which could materially adversely affect our business, results of operations, or financial condition. In connection with running our business, we receive, store, use and otherwise process information that relates to individuals and/or constitutes “personal data,” “personal information,” “personally identifiable information,” or similar terms under applicable data privacy laws (collectively, “Personal Information”), including from and about actual and prospective customers, as well as our employees and business contacts. We also depend on a number of third-party service providers in relation to the operation of our business, a number of which process Personal Information on our behalf. We and our third-party service providers are therefore subject to a variety of federal, state data privacy laws, rules, regulations, industry standards and other requirements, including those that apply generally to the processing of Personal Information, and those that are specific to certain industries, sectors, contexts, or locations. For example, HIPAA, the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), and the Gramm-Leach-Bliley Act (“GLBA”), govern the collection, dissemination, transmission, use, privacy, confidentiality, security, availability, and integrity of Personal Information and protected health information (“protected health information” or “PHI”). Furthermore, depending on the circumstance, we may act as either a covered entity and/or a business associate under HIPAA. HIPAA establishes breach notification obligations and basic privacy and security standards for protection of PHI by certain healthcare providers, health plans, and healthcare clearinghouses, known as covered entities, as well as their business associates that perform certain services that involve creating, receiving, maintaining or transmitting PHI for or on behalf of such covered entities, and their covered subcontractors. HIPAA requires covered entities and business associates to develop and maintain policies and procedures regarding PHI, and to adopt administrative, physical and technical safeguards to protect PHI. Additionally, under HIPAA, covered entities must notify affected individuals of breaches of unsecured PHI without unreasonable delay following discovery of the breach by a covered entity. Notification also must be made to the U.S. Department of Health and Human Services Office for Civil Rights, or OCR, and, in certain circumstances involving large breaches, to the media. Business associates must report breaches of unsecured PHI to covered entities within 60 days of discovery of the breach by the business associate. We have experienced HIPAA breaches in the past, including breaches affecting over 500 individuals. Entities that experience HIPAA violations as the result of a breach of unsecured PHI, a complaint about privacy practices or an audit by the HHS may be subject to civil monetary penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. In certain circumstances, entities or individuals may be subject to criminal penalties for HIPAA violations. HIPAA authorizes state Attorneys General to file suit under HIPAA on behalf of state residents. Courts can award damages, costs, and attorneys’ fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. The GLBA regulates, among other things, the use of certain information about individuals (“non-public personal information”) in the context of the provision of financial services, including by banks and other financial institutions. The GLBA includes both a “Privacy Rule,” which imposes obligations on financial institutions relating to the use or disclosure of non-public personal information, and a “Safeguards Rule,” which imposes obligations on financial institutions and, indirectly, their service providers to implement and maintain physical, administrative and technological measures to protect the security of non-public personal financial information. Any failure to comply with the GLBA could result in substantial financial penalties. Even when HIPAA and the GLBA do not apply, we are still subject to requirements imposed by U.S. states and the federal government. For example, the FTC and state regulators enforce a variety of data privacy and security issues, such as promises made in privacy policies or a company’s data security measures failing to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities, which may be deemed as unfair or deceptive acts or practices in or affecting commerce in violation of the FTC Act or similar state laws. Individually identifiable health information is considered sensitive data that merits stronger safeguards. In addition, in recent years, certain states have adopted or modified data privacy and security laws and regulations that may apply to our business, including laws that govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways, thus complicating compliance efforts. For example, California enacted the CCPA, which became effective on January 1, 2020. The CCPA, among other things, created data privacy obligations for covered companies and provides new privacy rights to California residents, including the right to opt out of certain disclosures of their information. The CCPA also created a private right of action with statutory damages for certain data breaches, thereby potentially increasing risks associated with a data breach. Similar laws have gone into effect and are enforceable, or have been proposed in many other states and at the federal level as well. If we or one or more of our vendors does not comply with existing or new laws and regulations related to PHI, Personal Information, or non-public personal information, we could be subject to criminal or civil sanctions. Any security breach involving the misappropriation, loss, or other unauthorized disclosure or use of member Confidential Information, whether by us or by our vendors, could subject us to civil and criminal penalties, divert management’s time and energy, and have a material adverse effect on our business, financial condition, cash flows, or results of operations. Even though we believe we and our vendors are generally in compliance with applicable laws, rules and regulations relating to privacy and data security, it is possible that new laws, regulations and other requirements, or amendments to or changes in interpretations of existing laws, regulations and other requirements, may require us to incur significant costs, implement new processes, or change our handling of information and business operations, which could ultimately hinder our ability to grow our business by extracting value from our data assets. In addition, any failure or perceived failure by us to comply with laws, regulations and other requirements relating to the privacy, security and handling of information could result in legal claims or proceedings (including class actions), regulatory investigations or enforcement actions. We could incur significant costs in investigating and defending such claims and, if found liable, pay significant damages or fines or be required to make changes to our business. These proceedings and any subsequent adverse outcomes may subject us to significant negative publicity. If any of these events were to occur, our business, results of operations, and financial condition could be materially adversely affected.

State and federal laws and regulations including, but not limited to, the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act, and all regulations promulgated thereunder (collectively, “HIPAA”), the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), and the Gramm-Leach-Bliley Act (“GLBA”), govern the collection, dissemination, use, privacy, confidentiality, security, availability, and integrity of personally identifiable information (“PII”), including protected health information (“PHI”). HIPAA establishes basic privacy and security standards for protection of PHI by covered entities and business associates, including health plans such as ours. HIPAA requires covered entities like us to develop and maintain policies and procedures regarding PHI, and to adopt administrative, physical, and technical safeguards to protect PHI. HIPAA violations may result in significant civil or criminal penalties. HIPAA authorizes state attorneys general to file suit under HIPAA on behalf of state residents. Courts can award damages, costs, and attorneys’ fees related to violations of HIPAA in such cases. We have experienced HIPAA breaches in the past, including breaches affecting over 500 individuals. The GLBA regulates, among other things, the use of certain information about individuals (“non-public personal information”) in the context of the provision of financial services, including by banks and other financial institutions. The GLBA includes both a “Privacy Rule,” which imposes obligations on financial institutions relating to the use or disclosure of non-public personal information, and a “Safeguards Rule,” which imposes obligations on financial institutions and, indirectly, their service providers to implement and maintain physical, administrative and technological measures to protect the security of non-public personal financial information. Any failure to comply with the GLBA could result in substantial financial penalties. Even when HIPAA and the GLBA do not apply, we are still subject to requirements imposed by U.S. states and the federal government. For example, the FTC expects a company’s data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. In addition, certain state laws govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways, thus complicating compliance efforts. For example, California enacted the CCPA, which became effective on January 1, 2020. The CCPA, among other things, created data privacy obligations for covered companies and provides new privacy rights to California residents, including the right to opt out of certain disclosures of their information. The CCPA also created a private right of action with statutory damages for certain data breaches, thereby potentially increasing risks associated with a data breach. Similar laws have gone into effect or have been proposed in many other states and at the federal level as well. If we or one or more of our vendors does not comply with existing or new laws and regulations related to PHI, PII, or non-public personal information, we could be subject to criminal or civil sanctions. Any security breach involving the misappropriation, loss, or other unauthorized disclosure or use of confidential member information, whether by us or by our vendors, could subject us to civil and criminal penalties, divert management’s time and energy, and have a material adverse effect on our business, financial condition, cash flows, or results of operations. It is possible that new laws, regulations and other requirements, or amendments to or changes in interpretations of existing laws, regulations and other requirements, may require us to incur significant costs, implement new processes, or change our handling of information and business operations, which could ultimately hinder our ability to grow our business by extracting value from our data assets. In addition, any failure or perceived failure by us to comply with laws, regulations and other requirements relating to the privacy, security and handling of information could result in legal claims or proceedings (including class actions), regulatory investigations or enforcement actions. We could incur significant costs in investigating and defending such claims and, if found liable, pay significant damages or fines or be required to make changes to our business. These proceedings and any subsequent adverse outcomes may subject us to significant negative publicity. If any of these events were to occur, our business, results of operations, and financial condition could be materially adversely affected.

We are party to a credit agreement dated as of November 20, 2025 ( the “New Credit Agreement”) which replaced our prior credit Agreement dated as of June 8, 2020 (the “Prior Credit Agreement”), and includes a revolving credit facility (“Credit Facility”) of $1.25 billion, among other provisions. Our New Credit Agreement, and the indentures governing our notes, require us to comply with various covenants that impose restrictions on our operations, including our ability to incur additional indebtedness, create liens, pay dividends, make certain investments or other restricted payments, sell or otherwise dispose of substantially all of our assets and engage in other activities. The New Credit Agreement contains customary non-financial and financial covenants, including maintenance of a minimum Interest Coverage Ratio (as defined in the New Credit Agreement) threshold of 3.0 to 1.0, and a maximum Consolidated Total Debt to Capital Ratio (as defined in the New Credit Agreement) of 60%, with a step-up to 65% for four fiscal quarters following a material acquisition or series of related acquisitions (i.e., $500 million or greater cash consideration). On February 4, 2026, we entered into an amendment to the New Credit Agreement (the “First Amendment”) that temporarily reduces the minimum Interest Coverage Ratio threshold to (a) with respect to each fiscal quarter ending March 31, 2026 through and including December 31, 2026, 1.75:1.00, (b) with respect to each fiscal quarter ending March 31, 2027, 2.00:1.00, (c) with respect to fiscal quarter ending June 30, 2027, 2.50:1.00 and (d) with respect to fiscal quarter ending September 30, 2027, 2.75:1.00. These various restrictive covenants could limit our ability to pursue our business strategies. In addition, any failure by us to comply with these restrictive covenants could result in an event of default under the New Credit Agreement and, in some circumstances, under the indentures governing our notes, which could have a material adverse effect on our business, financial condition, cash flows, or results of operations.

We are party to a credit agreement (as amended, the “Credit Agreement”) which includes a revolving credit facility (“Credit Facility”) of $1.25 billion, among other provisions. Our Credit Agreement, and the indentures governing our notes, require us to comply with various covenants that impose restrictions on our operations, including our ability to incur additional indebtedness, create liens, pay dividends, make certain investments or other restricted payments, sell or otherwise dispose of substantially all of our assets and engage in other activities. Our Credit Agreement also requires us to comply with a maximum consolidated net leverage ratio and a minimum consolidated interest coverage ratio. These restrictive covenants could limit our ability to pursue our business strategies. In addition, any failure by us to comply with these restrictive covenants could result in an event of default under the Credit Agreement and, in some circumstances, under the indentures governing our notes, which, in any case, could have a material adverse effect on our financial condition.

Our premium revenues consist of fixed monthly payments per member, and supplemental payments for other services such as maternity deliveries. These premiums are fixed by contract, and we are obligated during the contract periods to provide healthcare services as established by the state governments in which our health plans operate. Rate increases are most typically implemented by states on only an annual basis. We use most of our premium revenues to pay the medical costs of healthcare services delivered to our members. If the premiums paid to us are not increased at a rate that is commensurate with the rate at which medical expenses related to healthcare services rise, or the rate at which health care utilization rates increase, our medical margins will be compressed or eliminated, and our earnings will be negatively affected. We have seen in prior quarters that medical expenses have risen higher than anticipated, and that our capitation rates have not kept pace with the sharp rate of that medical care cost increase. Our inability to predict future medical expenses and future rates of utilization may continue in future quarters due to the inherently unpredictable and continually evolving market conditions. Further, if the actuarial assumptions made by a state in implementing a rate or benefit change are incorrect or quickly become outdated, or if they are at variance with or do not keep pace with the prevailing medical cost trend or particular utilization patterns of the members of one or more of our health plans, our medical margins could be reduced or eliminated. In addition, a state could increase hospital or other provider reimbursement without making a commensurate increase in the reimbursement paid to us, could lower our rates without making a commensurate reduction in the rates paid to hospitals or other providers, could delay the processing of rate changes, or could even make a retroactive rate adjustment or recoupment with regard to a period where we thought the payment amount was final. Insufficient rate increases, a continuing spike in medical care costs or utilization that outpace our rate increases, or retroactive rate reductions or recoupments in one or more of the states in which we operate, could have a material adverse effect on our business, financial condition, cash flows, or results of operations.

Our premium revenues consist of fixed monthly payments per member, and supplemental payments for other services such as maternity deliveries. These premiums are fixed by contract, and we are obligated during the contract periods to provide healthcare services as established by the state governments in which our health plans operate. We use a large portion of our revenues to pay the costs of healthcare services delivered to our members. If premiums do not increase when expenses related to healthcare services rise, our medical margins will be compressed, and our earnings will be negatively affected. If the actuarial assumptions made by a state in implementing a rate or benefit change or update are incorrect or are at variance with the prevailing medical cost trend or particular utilization patterns of the members of one or more of our health plans, our medical margins could be reduced. In addition, a state could increase hospital or other provider rates without making a commensurate increase in the rates paid to us, could lower our rates without making a commensurate reduction in the rates paid to hospitals or other providers, or could delay the processing of rate changes. Any of these rate adjustments in one or more of the states in which we operate could have a material adverse effect on our business, financial condition, cash flows, or results of operations.