Our Restated Certificate of Incorporation provides that, with respect to the election of directors, holders of Class A Common Stock vote as a class with the holders of Class C Common Stock, and holders of Class B Common Stock vote as a class with holders of Class D Common Stock,…
Read full text
Our Restated Certificate of Incorporation provides that, with respect to the election of directors, holders of Class A Common Stock vote as a class with the holders of Class C Common Stock, and holders of Class B Common Stock vote as a class with holders of Class D Common Stock, with holders of all classes of our Common Stock entitled to one vote per share. As of March 17, 2025, the shares of Class A and Class C Common Stock, which constituted 11.1% of the aggregate outstanding shares of our Common Stock, had the right to elect five members of the Board of Directors and constituted 90.8% of our general voting power as of that date. Also as of that date, the shares of Class B and Class D Common Stock (excluding shares issuable upon exercise of options), which constituted 88.9% of the outstanding shares of our Common Stock, had the right to elect two members of the Board of Directors and constituted 9.2% of our general voting power as of that date. As to matters other than the election of directors, our Restated Certificate of Incorporation provides that holders of Class A, Class B, Class C and Class D Common Stock all vote together as a single class, except as otherwise provided by law. Each share of Class A Common Stock entitles the holder thereof to one vote; each share of Class B Common Stock entitles the holder thereof to one-tenth of a vote; each share of Class C Common Stock entitles the holder thereof to 100 votes (provided the holder of Class C Common Stock holds a number of shares of Class A Common Stock equal to ten times the number of shares of Class C Common Stock that holder holds); and each share of Class D Common Stock entitles the holder thereof to ten votes (provided the holder of Class D Common Stock holds a number of shares of Class B Common Stock equal to ten times the number of shares of Class D Common Stock that holder holds). In the event a holder of Class C or Class D Common Stock holds a number of shares of Class A or Class B Common Stock, respectively, less than ten times the number of shares of Class C or Class D Common Stock that holder holds, then that holder will be entitled to only one vote for every share of Class C Common Stock, or one-tenth of a vote for every share of Class D Common Stock, which that holder holds in excess of one-tenth the number of shares of Class A or Class B Common Stock, respectively, held by that holder. The Board of Directors, in its discretion, may require beneficial owners to provide satisfactory evidence that such owner holds ten times as many shares of Class A or Class B Common Stock as Class C or Class D Common Stock, respectively, if such facts are not apparent from our stock records. Since a substantial majority of the Class A shares and Class C shares are controlled by Mr. Alan B. Miller and members of his family, one of whom is Marc D. Miller, our Chief Executive Officer, President and a director, and they can elect a majority of our company’s directors and effect or reject most actions requiring approval by stockholders without the vote of any other stockholders, there are potential conflicts of interest in overseeing the management of our company. 26 26 In addition, because this concentrated control could discourage others from initiating any potential merger, takeover or other change of control transaction that may otherwise be beneficial to our businesses, our business and prospects and the trading price of our securities could be adversely affected.ITEM 1B. Unresolved Staff CommentsNone.ITEM 1C. CybersecurityCybersecurity risk management and strategyProtecting our data, which includes information related to our patients, members, and customers, is a primary area of our focus. Given the critical nature of this information, we have developed and implemented a robust cybersecurity risk management program to assess, identify, and manage risks associated with cybersecurity threats as identified in Item 106(a) of Regulation S-K. Our cybersecurity program is designed to support the confidentiality, integrity, availability, and resilience of our information systems and the continuity of our operations, including those supporting patient care. Cybersecurity is an important and integrated part of our risk management program that identifies, monitors and mitigates business, operational and legal risks. Our cybersecurity risk management program incorporates a multi-tiered governance and risk assessment structure, including ongoing evaluation of applicable laws and regulations, internal policies and standards, technical vulnerabilities, threat intelligence, and resource adequacy. Such risks include operational, intellectual property theft, fraud, risks that have potential unfavorable impacts on our employees and/or patients, and violation of data privacy or security laws. To address cybersecurity risks facing our organization, we have adopted a risk-informed and continuously evolving assessment process. We engage a third party to conduct a bi-annual National Institute of Technology-Cyber Security Framework assessment to determine the effectiveness of our program and related controls. The results of that assessment are reviewed by management and used to formulate prioritization of remediation efforts, strategic initiatives, and cybersecurity investments. Likewise, annual penetration tests occur to review the efficacy of our technical controls, results which are reviewed by management and resolved in a timely manner. Other factors that feed into our risk management practices are also operational events and incidents, which can lead to controls being reviewed and enhanced.Our risk management practices also incorporate lessons learned from operational events, cybersecurity incidents, near misses, and changes in the external threat landscape, including emerging risks associated with ransomware, supply-chain dependencies, and the increasing use of artificial intelligence by threat actors. We have a mature incident response and recovery program in place in the event a cybersecurity incident occurs. This program defines roles, responsibilities and action plans designed to contain and eradicate the issue and then restore systems, in the event of a major disruption, in a timely manner. Our response planning emphasizes resilience and the ability to maintain critical operations, including clinical and patient-facing services, during and following a cybersecurity event. We regularly conduct tabletop exercises to simulate responses to an incident and implement any insight gained from those exercises to improve our recovery practices. As part of these processes, we regularly engage with assessors, consultants, auditors, and other third parties to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.We maintain a commercial cybersecurity insurance policy that provides for coverage for losses sustained from cybersecurity incidents, subject to certain deductibles and limitations. However, costs and damages associated with cybersecurity incidents could exceed our commercial insurance coverage which could have a material adverse effect on our business, financial position and results of operations. Third parties who provide services and solutions to our organization are also a source of cyber risk. Through a third-party risk management program, we review risks associated with these third parties through contractual reviews, vendor risk assessments, and continual risk reviews by monitoring the cybersecurity risk exposure these third parties pose and implementing remediation where necessary. Our program also considers risks arising from vendor concentration and systemic dependencies on third-party service providers supporting critical business and clinical functions, and we seek to implement remediation or risk mitigation measures where appropriate.Based on the information available as of the date of this Form 10-K, during our fiscal year 2025 and through the date of this filing, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents (as such terms are defined in Item 106(a) of Regulation S-K), that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. In making this determination, we considered both quantitative and qualitative factors, including potential impacts to patient care, regulatory compliance, operational continuity, financial performance, and reputation. For more information on risks to us from cybersecurity threats, see “Risks Related to Information Technology - A cyber In addition, because this concentrated control could discourage others from initiating any potential merger, takeover or other change of control transaction that may otherwise be beneficial to our businesses, our business and prospects and the trading price of our securities could be adversely affected. ITEM 1B. Unresolved Staff Comments None. ITEM 1C. CybersecurityCybersecurity risk management and strategyProtecting our data, which includes information related to our patients, members, and customers, is a primary area of our focus. Given the critical nature of this information, we have developed and implemented a robust cybersecurity risk management program to assess, identify, and manage risks associated with cybersecurity threats as identified in Item 106(a) of Regulation S-K. Our cybersecurity program is designed to support the confidentiality, integrity, availability, and resilience of our information systems and the continuity of our operations, including those supporting patient care. Cybersecurity is an important and integrated part of our risk management program that identifies, monitors and mitigates business, operational and legal risks. Our cybersecurity risk management program incorporates a multi-tiered governance and risk assessment structure, including ongoing evaluation of applicable laws and regulations, internal policies and standards, technical vulnerabilities, threat intelligence, and resource adequacy. Such risks include operational, intellectual property theft, fraud, risks that have potential unfavorable impacts on our employees and/or patients, and violation of data privacy or security laws. To address cybersecurity risks facing our organization, we have adopted a risk-informed and continuously evolving assessment process. We engage a third party to conduct a bi-annual National Institute of Technology-Cyber Security Framework assessment to determine the effectiveness of our program and related controls. The results of that assessment are reviewed by management and used to formulate prioritization of remediation efforts, strategic initiatives, and cybersecurity investments. Likewise, annual penetration tests occur to review the efficacy of our technical controls, results which are reviewed by management and resolved in a timely manner. Other factors that feed into our risk management practices are also operational events and incidents, which can lead to controls being reviewed and enhanced.Our risk management practices also incorporate lessons learned from operational events, cybersecurity incidents, near misses, and changes in the external threat landscape, including emerging risks associated with ransomware, supply-chain dependencies, and the increasing use of artificial intelligence by threat actors. We have a mature incident response and recovery program in place in the event a cybersecurity incident occurs. This program defines roles, responsibilities and action plans designed to contain and eradicate the issue and then restore systems, in the event of a major disruption, in a timely manner. Our response planning emphasizes resilience and the ability to maintain critical operations, including clinical and patient-facing services, during and following a cybersecurity event. We regularly conduct tabletop exercises to simulate responses to an incident and implement any insight gained from those exercises to improve our recovery practices. As part of these processes, we regularly engage with assessors, consultants, auditors, and other third parties to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.We maintain a commercial cybersecurity insurance policy that provides for coverage for losses sustained from cybersecurity incidents, subject to certain deductibles and limitations. However, costs and damages associated with cybersecurity incidents could exceed our commercial insurance coverage which could have a material adverse effect on our business, financial position and results of operations. Third parties who provide services and solutions to our organization are also a source of cyber risk. Through a third-party risk management program, we review risks associated with these third parties through contractual reviews, vendor risk assessments, and continual risk reviews by monitoring the cybersecurity risk exposure these third parties pose and implementing remediation where necessary. Our program also considers risks arising from vendor concentration and systemic dependencies on third-party service providers supporting critical business and clinical functions, and we seek to implement remediation or risk mitigation measures where appropriate.Based on the information available as of the date of this Form 10-K, during our fiscal year 2025 and through the date of this filing, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents (as such terms are defined in Item 106(a) of Regulation S-K), that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. In making this determination, we considered both quantitative and qualitative factors, including potential impacts to patient care, regulatory compliance, operational continuity, financial performance, and reputation. For more information on risks to us from cybersecurity threats, see “Risks Related to Information Technology - A cyber ITEM 1C. Cybersecurity Cybersecurity risk management and strategy Protecting our data, which includes information related to our patients, members, and customers, is a primary area of our focus. Given the critical nature of this information, we have developed and implemented a robust cybersecurity risk management program to assess, identify, and manage risks associated with cybersecurity threats as identified in Item 106(a) of Regulation S-K. Our cybersecurity program is designed to support the confidentiality, integrity, availability, and resilience of our information systems and the continuity of our operations, including those supporting patient care. Cybersecurity is an important and integrated part of our risk management program that identifies, monitors and mitigates business, operational and legal risks. Cybersecurity is an important and integrated integrated part of our risk management program that identifies, monitors and mitigates business, operational and legal risks. Our cybersecurity risk management program incorporates a multi-tiered governance and risk assessment structure, including ongoing evaluation of applicable laws and regulations, internal policies and standards, technical vulnerabilities, threat intelligence, and resource adequacy. Such risks include operational, intellectual property theft, fraud, risks that have potential unfavorable impacts on our employees and/or patients, and violation of data privacy or security laws. To address cybersecurity risks facing our organization, we have adopted a risk-informed and continuously evolving assessment process. We engage a third party to conduct a bi-annual National Institute of Technology-Cyber Security Framework assessment to determine the effectiveness of our program and related controls. The results of that assessment are reviewed by management and used to formulate prioritization of remediation efforts, strategic initiatives, and cybersecurity investments. Likewise, annual penetration tests occur to review the efficacy of our technical controls, results which are reviewed by management and resolved in a timely manner. Other factors that feed into our risk management practices are also operational events and incidents, which can lead to controls being reviewed and enhanced. third party Our risk management practices also incorporate lessons learned from operational events, cybersecurity incidents, near misses, and changes in the external threat landscape, including emerging risks associated with ransomware, supply-chain dependencies, and the increasing use of artificial intelligence by threat actors. We have a mature incident response and recovery program in place in the event a cybersecurity incident occurs. This program defines roles, responsibilities and action plans designed to contain and eradicate the issue and then restore systems, in the event of a major disruption, in a timely manner. Our response planning emphasizes resilience and the ability to maintain critical operations, including clinical and patient-facing services, during and following a cybersecurity event. We regularly conduct tabletop exercises to simulate responses to an incident and implement any insight gained from those exercises to improve our recovery practices. As part of these processes, we regularly engage with assessors, consultants, auditors, and other third parties to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance. We maintain a commercial cybersecurity insurance policy that provides for coverage for losses sustained from cybersecurity incidents, subject to certain deductibles and limitations. However, costs and damages associated with cybersecurity incidents could exceed our commercial insurance coverage which could have a material adverse effect on our business, financial position and results of operations. Third parties who provide services and solutions to our organization are also a source of cyber risk. Through a third-party risk management program, we review risks associated with these third parties through contractual reviews, vendor risk assessments, and continual risk reviews by monitoring the cybersecurity risk exposure these third parties pose and implementing remediation where necessary. Our program also considers risks arising from vendor concentration and systemic dependencies on third-party service providers supporting critical business and clinical functions, and we seek to implement remediation or risk mitigation measures where appropriate. Third parties who provide services and solutions to our organization are also a source of cyber risk. Through a third-party risk management program, we review risks associated with these third parties through contractual reviews, vendor risk assessments, and continual risk reviews by monitoring the cybersecurity risk exposure these third parties pose and implementing remediation where necessary. Our program also considers risks arising from vendor concentration and systemic dependencies on third-party service providers supporting critical business and clinical functions, and we seek to implement remediation or risk mitigation measures where appropriate. Based on the information available as of the date of this Form 10-K, during our fiscal year 2025 and through the date of this filing, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents (as such terms are defined in Item 106(a) of Regulation S-K), that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. In making this determination, we considered both quantitative and qualitative factors, including potential impacts to patient care, regulatory compliance, operational continuity, financial performance, and reputation. For more information on risks to us from cybersecurity threats, see “Risks Related to Information Technology - A cyber did not identify any risks 27 27 security incident could cause a violation of HIPAA, breach of patient or other persons privacy, or other negative impacts.” under “Item 1A. Risk Factors.” Governance of CybersecurityCybersecurity is an integral part of our enterprise risk management program and is an area of focus for our Board of Directors and management. The Audit Committee of our Board of Directors is responsible for oversight of risks from cybersecurity threats. Members of the Audit Committee receive regular updates, including quarterly briefings from our Chief Information Security Officer (“CISO”), regarding cybersecurity matters such as the evolving threat landscape, significant risks, incidents, control maturity, and progress against key cybersecurity initiatives. The Audit Committee provides oversight of management’s approach to mitigating cybersecurity risks and enhancing the organization’s cyber resilience. Senior executive leadership also engage in periodic and ad-hoc discussions with management on cybersecurity topics, including incident response readiness, regulatory developments, and strategic initiatives. In addition, the Board of Directors receives an annual briefing on cybersecurity risks, program maturity, and related governance matters.Our cybersecurity risk management and strategy processes are overseen by our CISO along with leaders from our information security, compliance, legal and internal audit teams. These leaders collectively possess substantial experience across information security, healthcare compliance, risk management, audit, and technology operations.. They are responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including oversight of our incident response and recovery capabilities.ITEM 2. PropertiesExecutive and Administrative Offices and Commercial Health InsurerWe own various office buildings in King of Prussia and Wayne, Pennsylvania, Brentwood, Tennessee, Denton, Texas and Reno, Nevada. Facilities The following tables set forth the name, location, type of facility and, for acute care hospitals and behavioral health care facilities, the number of licensed beds: Acute Care Hospitals Name of Facility Location Number ofBeds RealPropertyOwnershipInterest Aiken Regional Medical Centers (1) Aiken, South Carolina 211 Leased Aurora Pavilion Behavioral Health Services (1) Aiken, South Carolina 62 Leased ER at Sweetwater North Augusta, South Carolina — Owned Cedar Hill Regional Medical Center Washington, D.C. 142 Leased Centennial Hills Hospital Medical Center Las Vegas, Nevada 339 Owned ER at Valley Vista North Las Vegas, Nevada — Owned ER at West Craig Las Vegas, Nevada — Owned Corona Regional Medical Center Corona, California 259 Owned Desert View Hospital Pahrump, Nevada 25 Owned Doctors Hospital of Laredo (6) Laredo, Texas 183 Owned Doctors Hospital Emergency Room Saunders Laredo, Texas — Owned Doctors Hospital Emergency Room South Laredo, Texas — Leased Doctors Hospital Emergency Room Wright Ranch Laredo, Texas — Owned Fort Duncan Regional Medical Center Eagle Pass, Texas 101 Owned The George Washington University Hospital (16) Washington, D.C. 395 Leased Henderson Hospital Henderson, Nevada 303 Owned ER at Cadence Henderson, Nevada — Owned ER at Green Valley Ranch Henderson, Nevada — Owned Lakewood Ranch Medical Center Lakewood Ranch, Florida 120 Owned security incident could cause a violation of HIPAA, breach of patient or other persons privacy, or other negative impacts.” under “Item 1A. Risk Factors.” Governance of CybersecurityCybersecurity is an integral part of our enterprise risk management program and is an area of focus for our Board of Directors and management. The Audit Committee of our Board of Directors is responsible for oversight of risks from cybersecurity threats. Members of the Audit Committee receive regular updates, including quarterly briefings from our Chief Information Security Officer (“CISO”), regarding cybersecurity matters such as the evolving threat landscape, significant risks, incidents, control maturity, and progress against key cybersecurity initiatives. The Audit Committee provides oversight of management’s approach to mitigating cybersecurity risks and enhancing the organization’s cyber resilience. Senior executive leadership also engage in periodic and ad-hoc discussions with management on cybersecurity topics, including incident response readiness, regulatory developments, and strategic initiatives. In addition, the Board of Directors receives an annual briefing on cybersecurity risks, program maturity, and related governance matters.Our cybersecurity risk management and strategy processes are overseen by our CISO along with leaders from our information security, compliance, legal and internal audit teams. These leaders collectively possess substantial experience across information security, healthcare compliance, risk management, audit, and technology operations.. They are responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including oversight of our incident response and recovery capabilities. security incident could cause a violation of HIPAA, breach of patient or other persons privacy, or other negative impacts.” under “Item 1A. Risk Factors.” Governance of Cybersecurity Cybersecurity is an integral part of our enterprise risk management program and is an area of focus for our Board of Directors and management. The Audit Committee of our Board of Directors is responsible for oversight of risks from cybersecurity threats. Members of the Audit Committee receive regular updates, including quarterly briefings from our Chief Information Security Officer (“CISO”), regarding cybersecurity matters such as the evolving threat landscape, significant risks, incidents, control maturity, and progress against key cybersecurity initiatives. The Audit Committee provides oversight of management’s approach to mitigating cybersecurity risks and enhancing the organization’s cyber resilience. Senior executive leadership also engage in periodic and ad-hoc discussions with management on cybersecurity topics, including incident response readiness, regulatory developments, and strategic initiatives. In addition, the Board of Directors receives an annual briefing on cybersecurity risks, program maturity, and related governance matters. Cybersecurity is an integral part of our enterprise risk management program and is an area of focus for our Board of Directors and management. The Audit Committee of our Board of Directors is responsible for oversight of risks from cybersecurity threats. Members of the Audit Committee receive regular updates, including quarterly briefings from our Chief Information Security Officer (“CISO”), regarding cybersecurity matters such as the evolving threat landscape, significant risks, incidents, control maturity, and progress against key cybersecurity initiatives. The Audit Committee provides oversight of management’s approach to mitigating cybersecurity risks and enhancing the organization’s cyber resilience. Senior executive leadership also engage in periodic and ad-hoc discussions with management on cybersecurity topics, including incident response readiness, regulatory developments, and strategic initiatives. In addition, the Board of Directors receives an annual briefing on cybersecurity risks, program maturity, and related governance matters. Board of Directors is responsible responsible for oversight of risks from cybersecurity threats. Members of the Audit Committee receive regular updates, including quarterly briefings from our Chief Information Security Officer (“CISO”), regarding cybersecurity matters such as the evolving threat landscape, significant risks, incidents, control maturity, and progress against key cybersecurity initiatives. Members of the Audit Committee receive regular updates, including quarterly briefings from our Chief Information Security Officer (“CISO”), regarding cybersecurity matters such as the evolving threat landscape, significant risks, incidents, control maturity, and progress against key cybersecurity initiatives. The Audit Committee provides oversight of management’s approach to mitigating cybersecurity risks and enhancing the organization’s cyber resilience. Senior executive leadership also engage in periodic and ad-hoc discussions with management on cybersecurity topics, including incident response readiness, regulatory developments, and strategic initiatives. Board of Directors receives an annual briefing on cybersecurity risks, program maturity, and related governance matters. Our cybersecurity risk management and strategy processes are overseen by our CISO along with leaders from our information security, compliance, legal and internal audit teams. These leaders collectively possess substantial experience across information security, healthcare compliance, risk management, audit, and technology operations.. They are responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including oversight of our incident response and recovery capabilities. Our cybersecurity risk management and strategy processes are overseen by our CISO along with leaders from our information security, compliance, legal and internal audit teams. These leaders collectively possess substantial experience across information security, healthcare compliance, risk management, audit, and technology operations.. They are responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including oversight of our incident response and recovery capabilities. Our cybersecurity risk management and strategy processes are overseen by our CISO along with leaders from our information security, compliance, legal and internal audit teams. These leaders collectively possess substantial experience across information security, healthcare compliance, risk management, audit, and technology operations.. They are responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including oversight of our incident response and recovery capabilities. ITEM 2. Properties