ITEM 1A. RISK FACTORS.
Before you invest in our securities, you should be aware that there are various risks. You should carefully consider these risk factors, together with all of the other information included in this Annual Report on Form 10-k before you decide to purchase our securities. If any of the following risks and uncertainties develop into actual events, our business, financial condition or results of operations could be materially adversely affected.
RISKS RELATED TO OUR BUSINESS
The Company has limited operating history and has a new business model in an emerging and rapidly evolving market.
MediXall is an early-stage development enterprise and lacks any operating history to evaluate in assessing our future prospects. Our business and prospects in light of the risks and difficulties MediXall will encounter as a development stage company in a new and rapidly evolving market must be seriously considered. We may not be able to successfully address these risks and difficulties, which could materially harm our business and operating results. In addition, we do not know if our business model will operate effectively during the next economic downturn. Furthermore, we are unable to predict the likely duration and severity of any potential adverse economic conditions in the U.S. and other countries, but the longer the duration the greater risks we face in operating our business. There can be no assurance, therefore, that current economic conditions or worsening economic conditions, or a prolonged or recurring recession, will not have a significant adverse impact on our operating and financial results.
Limited Control of Our Business Model and Dependance on third parties .
We do not directly offer the services we sell directly to our customers but use third parties. As such, we are very dependent on the relationships with multiple parties as to their ability to provide the services to our customers, their financial variability, pricing, and the quality of the services they provide, including professional malpractice. We could be materially harmed if these third parties are not able to provide such services at a price we can afford. We could be materially harmed if they provide poor service to our customers that could risk cancelation of the service agreements we have. We could also face vicarious legal, reputational, and financial risk if such services provided by our third-party relationships could place us in adverse conditions.
Our auditors have indicated that there is substantial doubt about our ability to continue as a going concern.
To date, we have not been profitable and have incurred significant losses and cash flow deficits. For the fiscal years ended December 31, 2023 and 2022, we generated operating revenues of $309,422 and $59,268, respectively, and reported net losses of $4,563,406 and $6,830,415, respectively, and negative cash flow from operating activities of $1,229,546 and $3,561,083, respectively. As noted in our consolidated financial statements, as of December 31, 2023, we had an accumulated deficit of $37.2 million. We anticipate that we will continue to report losses and negative cash flow into 2024. Our auditors have raised substantial doubt regarding our ability to continue as a going concern as a result of our historical recurring losses and negative cash flows from operations as well as our dependence on private equity and financing.
Our consolidated financial statements do not include any adjustments that might result from the outcome of this uncertainty. These adjustments would likely include substantial impairment of the carrying amount of our assets and potential contingent liabilities that may arise if we are unable to fulfill various operational commitments. In addition, the value of our securities, including common stock issued in this offering, would be greatly impaired. Our ability to continue as a going concern is dependent upon generating sufficient cash flow from operations and obtaining additional capital and financing, including funds to be raised in this offering. If our ability to generate cash flow from operations is delayed or reduced and we are unable to raise additional funding from other sources, we may be unable to continue in business even if this offering is successful. For further discussion about our ability to continue as a going concern and our plan for future liquidity, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Ability to Continue as a Going .”
We cannot assure you that MediXall will be able to develop the infrastructure necessary to achieve the potential sales growth.
Achieving revenue will require that MediXall develop a functional platform and build the necessary infrastructure to support sales, technical and client support functions. We cannot assure you that we can develop this infrastructure or will have the capital to do so and no commitments for needed capital are in place. MediXall will continue to design plans to establish growth, adding sales and sales support resources as capital permits, but at this time these plans are untested. If MediXall is unable to use any of its anticipated marketing initiatives or the cost of such initiatives were to significantly increase or such initiatives or its efforts to satisfy existing clients are not successful, MediXall may not be able to attract clients or retain existing clients on a cost- effective basis and, as a result, our revenue and results of operations would be affected adversely.
The markets that MediXall is targeting for revenue opportunities are emerging within a well-established healthcare industry, are rapidly developing and may change before we can access them.
The markets for traditional internet and mobile web products and services that MediXall is targeting for revenue opportunities are changing rapidly; and the barriers to entry into the niche identified by MediXall are high and require unique experience and qualification. We cannot provide assurance that MediXall will be able to realize these revenue opportunities before they change or before other companies enter or even dominate the market. Furthermore, MediXall has based certain of its revenue opportunities on statistics provided by third party industry sources. Such statistics are based on ever-changing customer preferences due to our rapidly changing industry. With the introduction of new technologies and the influx of new entrants to the market, we expect competition to emerge and intensify in the future, which could adversely affect our ability to increase sales, limit client attrition and maintain our prices.
Our business depends on the development and maintenance of the internet infrastructure.
The success of our services will depend largely on the development and maintenance of the internet infrastructure. This includes maintenance of a reliable network backbone with the necessary speed, data capacity and security, as well as timely development of complementary products, for providing reliable internet access and services. The Internet has experienced, and is likely to continue to experience, significant growth in the number of users and amount of traffic. The internet infrastructure may be unable to support such demands. In addition, increasing numbers of users, increasing bandwidth requirements or problems caused by viruses, worms, malware and similar programs may harm the performance of the internet. The backbone computers of the internet have been the targets of such programs. The internet has experienced a variety of outages and other delays as a result of damage to portions of its infrastructure, and it could face outages and delays in the future. These outages and could reduce the level of internet usage generally as well as the level of usage of our services, which could impact on our business.
The nature of the MediXall platform requires sophisticated encryption technology to defend against hacking due to the personal information as well as the financial transaction data that will be utilized by a consumer/patient.
The art of hacking databases for the purposes of obtaining personal information as well as financial information on individuals is increasing substantially. MediXall is aware of these risks and will invest substantially in the development of its platform in accordance with the very latest data encryption/protection technologies; however, there is a real risk that the MediXall platform could be compromised at some point in time exposing the company to lawsuits and unfavorable attention that would adversely impact our business and affect our ability to add clients, consumer/patients or manage attrition on the platform.
Our ability to offer MediXall products and services may be affected by a variety of U.S. laws.
The laws relating to the liability of providers of online and mobile marketing services for activities of their users are in their infancy and currently unsettled within the U.S. Future regulations could affect our ability to provide current or future programming.
We will depend on the services of our executives and outside contractors and providers.
We depend on the services of our executive officers, directors, and outside contractors and providers. The loss of the services of any of our executives could materially harm our business. In addition, we do not presently maintain a key-man life insurance policy on any of our officers or directors.
Our future depends, in part, on our ability to attract and retain key personnel. Our future also depends on the continued contributions of other key technical and marketing personnel. The loss of key personnel and the process to replace any of our key personnel would involve significant time and expense, may take longer than anticipated and may significantly delay or prevent the achievement of our business objectives.
Failure to properly maintain effective and secure management information systems, update or expand processing capability or develop new capabilities to meet our business needs could result in operational disruptions and possible loss of data critical to our operations.
Our business will depend significantly on effective and secure information systems and the successful application of these continuously emerging technologies. In the future, these systems could support online customer service functions, provider and member administrative functions and support tracking and extensive analyses of medical expenses and outcome data.
These information systems and applications will require continual investment for maintenance, upgrades and enhancement to meet our operational needs and to handle our expansion and growth. Any inability or failure to properly maintain management information systems, successfully update or expand processing capability or develop new capabilities to meet our business needs in a timely manner could result in operational disruptions, loss of existing customers, difficulty in attracting new customers, impairment of the implementation of our growth strategies, delays in settling disputes with customers and providers, regulatory problems, increases in administrative expenses, loss of our ability to produce timely and accurate reports and other adverse consequences. To the extent a failure in maintaining information systems occurs, we may need to contract for these services with third-party management companies, which may be on less terms to us and significantly our operations and information flow. Furthermore, our business requires the secure transmission of confidential information over public networks. Because of the confidential information we store and transmit, security could us to the risk of regulatory action, , possible liability and . Our security measures may prove to prevent security and our business operations and would be affected by of contracts, of members and potential and civil sanctions if security occur.
General economic conditions, industry cycles, financial, business, and other factors affecting our operations, many of which are beyond our control, may affect our future performance.
General economic conditions, industry cycles, financial, business, and other factors may affect our operations. If we cannot generate sufficient cash flow from operations in the future, we may, among other things, be required to take one or more of the following actions:
seek additional financing in the debt or equity markets;
refinance or restructure all or a portion of our indebtedness;
sell selected assets;
reduce or delay planned capital expenditures; or,
discontinue operations.
In addition, any financing, refinancing, or sale of assets might not be available on economically favorable terms, which may prevent us from future expansion and growth in new markets and, thus, negatively affect our business and financial condition.
Risks Related to Our Intellectual Property
If we are unable to prevent unauthorized use or disclosure of our proprietary trade secrets and unpatented know-how, our ability to compete will be harmed.
Proprietary trade secrets, copyrights, trademarks, and unpatented know-how are also very important to our business. We will rely on a combination of patents, trade secrets, copyrights, trademarks, confidentiality agreements, and other contractual provisions and technical security measures to protect certain aspects of our intellectual property, especially where we do not believe that patent protection is appropriate or obtainable. We will require our employees and consultants to execute confidentiality agreements in connection with their employment or consulting relationships with us. We also will require our employees and consultants to disclose and assign to us all inventions conceived during the term of their employment or engagement while using our property or which relate to our business; however, these measures may not be adequate to safeguard our proprietary intellectual property and conflicts may, nonetheless, arise regarding ownership of inventions. Such conflicts may lead to the loss or impairment of our intellectual property or to expensive litigation to defend our rights competitors who may be funded and have resources. Our employees, consultants, contractors and other advisors may or our confidential information to competitors. In addition, confidentiality agreements may be unenforceable or may not provide an adequate remedy in the event of disclosure. Enforcing a claim that a third party obtained and is using our trade secrets is expensive and time consuming, and the outcome is . Moreover, our competitors may independently develop equivalent knowledge, methods and know-how. parties may also attempt to copy or reverse-engineer certain aspects of the MediXall platform that we consider proprietary. As a result, third parties attempt to use our proprietary technology or information, and our ability to compete in the market would be affected.
RISKS RELATED TO OUR COMMON STOCK
Trading on the OTC Markets is volatile and sporadic, which could depress the market price of our common stock and make it difficult for our stockholders to resell their common stock.
Our common stock is quoted on the OTCPK tier of the OTC Markets Group, Inc. (“ OTC Markets ”). Trading in securities quoted on the OTC Markets is often thin and characterized by wide fluctuations in trading prices, due to many factors, some of which may have little to do with our operations or business prospects. This volatility could depress the market price of our common stock for reasons unrelated to operating performance. Moreover, the OTC Markets is not a stock exchange, and trading of securities on the OTC Markets is often more sporadic than the trading of securities listed on a quotation system like Nasdaq Capital Market or a stock exchange like the NYSE American. These factors may result in investors having difficulty reselling any shares of our common stock. Our common stock is not currently publicly traded.
Our stock price is likely to be highly volatile because of several factors, including a limited public float.
The market price of our common stock has been volatile in the past and the market price of our common stock is likely to be highly volatile in the future. You may not be able to resell shares of our common stock following periods of volatility because of the market’s adverse reaction to volatility.
Other factors that could cause such volatility may include, among other things:
actual or anticipated fluctuations in our operating results;
we may have a low trading volume for a number of reasons, including that a large portion of our stock is closely held;
overall stock market fluctuations;
announcements concerning our business or those of our competitors;
actual or perceived limitations on our ability to raise capital when we require it, and to raise such capital on favorable terms;
conditions or trends in the industry;
litigation;
changes in market valuations of other similar companies;
future sales of common stock;
departure of key personnel or failure to hire key personnel; and,
general market conditions.
Any of these factors could have a significant and adverse impact on the market price of our common stock. In addition, the stock market in general has at times experienced extreme volatility and rapid decline that has often been unrelated or disproportionate to the operating performance of particular companies. These broad market fluctuations may adversely affect the trading price of our common stock, regardless of our actual operating performance.
Our common stock is a “penny stock” under SEC rules, and our warrants may be subject to the “penny stock” rules. It may be more difficult to resell securities classified as “penny stock.”
Our common stock is deemed to be a “penny stock” under applicable SEC rules (generally defined as non-exchange traded stock with a per-share price below $5.00). Unless we successfully list our common stock on a national stock exchange, or maintain a per-share price above $5.00, these rules impose additional sales practice requirements on broker-dealers that recommend the purchase or sale of penny stocks to persons other than those who qualify as “established customers” or “accredited investors.” For example, broker-dealers must determine the appropriateness for non-qualifying persons of investments in penny stocks. Broker-dealers must also provide, prior to a transaction in a penny stock not otherwise exempt from the rules, a standardized risk disclosure document that provides information about penny stocks and the risks in the penny stock market. The broker-dealer also must provide the customer with current bid and offer quotations for the penny stock, disclose the compensation of the broker-dealer and its salesperson in the transaction, furnish monthly account statements showing the market value of each penny stock held in the customer’s account, provide a special written determination that the penny stock is a suitable investment for the purchaser, and receive the purchaser’s written agreement to the transaction.
Legal remedies available to an investor in “penny stocks” may include the following:
If a “penny stock” is sold to the investor in violation of the requirements listed above, or other federal or states securities laws, the investor may be able to cancel the purchase and receive a refund of the investment.
If a “penny stock” is sold to the investor in a fraudulent manner, the investor may be able to sue the persons and firms that committed the fraud for damages.
However, investors who have signed arbitration agreements may have to pursue their claims through arbitration.
These requirements may have the effect of reducing the level of trading activity, if any, in the secondary market for a security that becomes subject to the penny stock rules. The additional burdens imposed upon broker-dealers by such requirements may discourage broker-dealers from effecting transactions in our securities, which could severely limit the market price and liquidity of our securities. These requirements may restrict the ability of broker-dealers to sell our common stock and may affect your ability to resell our common stock.
Many brokerage firms will discourage or refrain from recommending investments in penny stocks. Most institutional investors will not invest in penny stocks. In addition, many individual investors will not invest in penny stocks due, among other reasons, to the increased financial risk generally associated with these investments.
For these reasons, penny stocks may have a limited market and, consequently, limited liquidity. We can give no assurance at what time, if ever, our common stock will not be classified as a “penny stock” in the future.
The sale of a substantial number of shares of our common stock may cause the price of the common stock to decline.
If our stockholders sell substantial amounts of our common stock in the public market, the market price of our common stock could fall. These sales also may make it more difficult for us to sell our equity or equity-related securities in the future at a time and price that we deem reasonable or appropriate. This risk is significant because of concentrated positions of our common stock held by a small group of investors.
We have not paid dividends on our common stock in the past and do not expect to pay dividends on our common stock in the future. Any return on investment in our common stock may be limited to the value of our common stock.
We have never paid cash dividends on our common stock and do not anticipate paying cash dividends on our common stock in the foreseeable future. The payment of dividends on our common stock would depend on earnings, financial condition, and other business and economic factors affecting us at such time as our board of directors may consider relevant. If we do not pay dividends on our common stock, our common stock may be less valuable because a return on your investment will only occur if its stock price appreciates.
Changes in accounting principles and guidance, or their interpretation, could result in unfavorable accounting charges or effects, including changes to our previously filed financial statements, which could cause our stock price to decline.
We prepare our consolidated financial statements in accordance with accounting principles generally accepted in the United States (“GAAP”). These principles are subject to interpretation by the Securities and Exchange Commission (the “SEC”) and various bodies formed to interpret and create appropriate accounting principles and guidance. A change in these principles or guidance, or in their interpretations, may have a significant effect on our reported results and retroactively affect previously reported results.
Being a public company results in additional expenses, diverts management’s attention, and could also adversely affect our ability to attract and retain qualified directors.
As a public reporting company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). These requirements generate significant accounting, legal and financial compliance costs and make some activities more difficult, time-consuming or costly and may place significant strain on our personnel and resources. The Exchange Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to establish the requisite disclosure controls and procedures and internal control over financial reporting, significant resources and management oversight are required.
As a result, management’s attention may be diverted from other business concerns, which could have an adverse and even material effect on our business, financial condition and results of operations. These rules and regulations may also make it more difficult and expensive for us to obtain director and officer liability insurance. If we are unable to obtain appropriate director and officer insurance, our ability to recruit and retain qualified officers and directors, especially those directors who may be deemed independent, could be adversely impacted.
Failure to establish and maintain effective internal controls in accordance with Section 404 of the Sarbanes-Oxley Act could have a material adverse effect on our business and stock price.
We are required to comply with the SEC’s rules implementing Sections 302 and 404 of the Sarbanes-Oxley Act, which require management to certify financial and other information in our quarterly and annual reports and provide an annual management report on the effectiveness of controls over financial reporting.
To comply with the requirements of being a public company, we have undertaken various actions, and may need to take additional actions, such as implementing new internal controls and procedures and hiring additional accounting or internal audit staff. Testing and maintaining internal control can divert our management’s attention from other matters that are important to the operation of our business. Additionally, when evaluating our internal control over financial reporting, we may identify material weaknesses that we may not be able to remediate in time to meet the applicable deadline imposed upon us for compliance with the requirements of Section 404. If we identify any material weaknesses in our internal control over financial reporting or are unable to comply with the requirements of Section 404 in a timely manner or assert that our internal control over financial reporting is effective, investors may lose confidence in the accuracy and completeness of our financial reports and the market price of our common stock could be negatively affected, and any investigations by the Financial Industry Regulatory Agency, the SEC or other regulatory authorities, could require additional financial and management resources.
RISKS RELATED TO HEALTHCARE INDUSTRY
The healthcare regulatory and political framework is uncertain and evolving, and we cannot predict the effect that further healthcare reform and other changes in government programs may have on our business, financial condition, or results of operations.
Healthcare laws and regulations are rapidly evolving and may change significantly in the future, which could adversely affect our financial condition and results of operations. For example, the ACA, which includes a variety of healthcare reform provisions and requirements that may become effective at varying times through 2023, substantially changes the way healthcare is financed by both governmental and private insurers and may significantly impact our industry. Further changes to the ACA and related healthcare regulation remain under consideration. In addition, current proposals to implement a single payer or “Medicare for all” system in the U.S., if adopted would likely have a material adverse effect on our business. The full impact of recent healthcare reform and other changes in the healthcare industry and in healthcare spending is unknown, and we are unable to predict accurately what effect the ACA or other healthcare reform measures that may be adopted in the future will have on our business.
The healthcare industry is rapidly evolving and the market for technology-enabled services that empower healthcare consumers is relatively immature and unproven. If we are not successful in promoting and improving the benefits of our platform, our growth may be limited, and our business may be adversely affected.
The market for our products and services is subject to rapid and significant change and competition. The market for technology-enabled services that empower healthcare consumers is characterized by rapid technological change, new product and service introductions, evolving industry standards, changing customer needs, existing competition and the entrance of non- traditional competitors. In addition, there may be a limited-time opportunity to achieve and maintain a significant share of this market due in part to the rapidly evolving nature of the healthcare and technology industries and the substantial resources available to our existing and potential competitors. The market for technology-enabled services that empower healthcare consumers is relatively new and unproven, and it is uncertain whether this market will achieve and sustain high levels of demand and market adoption.
Our success depends to a substantial extent on the willingness of consumers to increase their use of technology platforms to manage their healthcare options, the ability of our platform to increase consumer engagement, and our ability to demonstrate the value of our platform to our potential customers. If customers do not recognize or acknowledge the benefits of our platform or our platform does not drive consumer engagement, then the market for our products and services might develop more slowly than we expect, which could adversely affect our operating results. In addition, we have limited insight into trends that might develop and affect our business. We might make errors in predicting and reacting to relevant business, legal and regulatory trends, which could harm our business. If any of these events occur, it could materially adversely affect our business, financial condition, or results of operations.
Finally, our competitors may have the ability to devote more financial and operational resources than we can to developing new technologies and services, including services that provide improved operating functionality, and adding features to their existing service offerings. If successful, their development efforts could render our services less desirable, resulting in the loss of our existing customers or a reduction in the fees we earn from our products and services.
Failure to comply with extensive and complex healthcare laws and regulations may have a material adverse effect on our business.
Healthcare is an extremely complex and regulated industry in the U.S. There are many laws and regulations that could have a material effect on our business, including but not limited to, the HIPAA, and federal and state regulations controlling patient, provider and intermediary relationships. We have taken, and will continue to take, precautions to ensure compliance with applicable statutes and regulations; however, there is no guarantee we will be success in our efforts, and even an unintentional violation of law could have a material adverse effect on our operations and business.
We are subject to privacy regulations regarding the access, use and disclosure of personally identifiable information. If we or any of our third-party vendors experience a breach of personally identifiable information, it could result in substantial financial and reputational harm, including possible criminal and civil penalties.
State and federal laws and regulations govern the collection, dissemination, access and use of personally identifiable information, including HIPAA and HITECH, which govern the treatment of protected health information, and the Gramm-Leach Bliley Act, which governs the treatment of nonpublic personal information. Privacy regulation has become a priority issue in many states, including California, which in 2018 enacted the California Consumer Privacy Act broadly regulating the sale of California residents’ personal information and providing California residents with various rights to access and delete data. In the provision of services to our customers, we and our third-party vendors may collect, access, use, maintain and transmit personally identifiable information in ways that are subject to many of these laws and regulations. Although we have implemented measures to comply with privacy laws, rules and regulations, we may experience data privacy incidents. Any unauthorized disclosure of personally identifiable information experienced by us, or our third-party vendors could result in substantial financial and reputational harm, including possible criminal and civil penalties. In many cases, we are subject to HIPAA and other privacy regulations because we are a business associate providing services to covered entities; as a result, the covered entities direct HIPAA compliance matters in the event of a security , which our ability to address caused by the . Additionally, we may be required to report to partners, regulators, state attorney generals, and impacted individuals depending on the of the , our role, legal requirements and contractual obligations. Continued compliance with current and potential new privacy laws, rules and regulations and meeting consumer expectations with respect to the control of personal data in a rapidly changing technology environment could result in higher compliance and technology costs for us.
Although we do not provide medical care, we could be a party to medical malpractice claims, which could have a material adverse effect on our business.
We do not provide medical care. Rather, we help connect individuals and employers to providers of medical care, products, and services. However, we could be a party to lawsuits related to the service we provide through our contractors, and that could include risk of medical malpractice claims which could increase our insurance premiums, expose us to legal defense cost, and/or impact the brand of the Company, which could lead to a reduction in the number of customers we have and could have a material adverse effect on our revenues and profits.
Our use and disclosure of personally identifiable information, including health information, and other personal data is subject to federal, state, and foreign privacy and security regulations, and our failure to comply with those regulations or to adequately secure the information we hold could result in significant liability or reputational harm and, in turn, a material adverse effect on our Client base, membership base, and revenue.
Numerous federal, state and foreign laws and regulations govern the collection, dissemination, use, privacy, confidentiality, security, availability, and integrity of PII, including PHI. In particular, in the U.S., HIPAA establishes a set of basic national privacy and security standards for the protection of PHI by health plans, healthcare clearinghouses, and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services, which includes us. HIPAA requires healthcare providers like us to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical, and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims.
HIPAA imposes mandatory penalties for certain violations. However, a single breach incident can result in violations of multiple standards, which could result in significant fines. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts will be able to award damages, costs, and attorneys’ fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Any such or lawsuits could our business, financial condition, results of operations, and reputation.
In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA-covered entities or business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the Civil Monetary Penalty fine paid by the violator.
HIPAA further requires that patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that has more than a low probability of compromising the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public website. Breaches affecting 500 patients or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually.
Numerous other federal and state laws protect the confidentiality, privacy, availability, integrity, and security of PII, including PHI and other personal data. These laws in many cases are more restrictive than, and may not be preempted by, the HIPAA rules and may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our Clients and potentially exposing us to additional expense, adverse publicity, and liability. In addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. There are many other state-based data privacy and security laws and regulations that may impact our business. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects, and could restrict the way services involving data are offered, all of which may adversely affect our business, financial condition, and results of operations. For example, U.S. states have begun to introduce more comprehensive data protection laws. The CCPA went into effect in January 2020 and established a new privacy framework for covered businesses such as ours that expands the scope of personal information and provides new privacy rights for California residents. These changes required us to modify our data processing practices and policies and incur compliance-related costs and expenses. The CCPA also provides for civil for , as well as a private right of action for data , which may increase the likelihood and cost of data . Additionally, the CPRA went into effect on January 1, 2023 and significantly modifies the CCPA by, among other things, creating a dedicated privacy regulatory agency, requiring businesses to implement data minimization and data principles, and imposing additional requirements for contracts addressing the processing of personal information. Numerous states have enacted, or are currently reviewing, legislation that is similar to the CCPA and/or CPRA. For example, the Virginia Consumer Data Protect Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act became in 2023. There are also bills that have been approved or are going through the legislative process in many more states. In 2022, a draft of the American Data Privacy and Protection Act was released and would be a comprehensive federal data privacy law that would seek to ease the of a patchwork of overlapping but different state laws. These changes may result in further uncertainty with respect to privacy, data protection, and information security issues and will require us to incur additional costs and expenses in an effort to comply.
New health information standards, whether implemented pursuant to HIPAA, congressional action, or otherwise, could have a significant effect on the manner in which we must handle healthcare-related data, and the cost of complying with standards could be significant. If we do not comply with existing or new laws and regulations related to PHI, we could be subject to criminal or civil sanctions and our reputation could be harmed.
Because of the extreme sensitivity of the PII we store and transmit, the security features of our technology platform are very important. If our security measures, some of which are managed by third parties, are breached or fail, unauthorized persons may be able to obtain access to sensitive Client and member data, including HIPAA-regulated PHI. As a result, our reputation could be severely damaged, adversely affecting Client and member confidence. Members may curtail their use of, or stop using, our services or our Client base could decrease, which would cause our business to suffer. In addition, we could face litigation, damages for contract breach, penalties, and regulatory actions for violation of HIPAA and other applicable laws or regulations and significant costs for remediation, notification to individuals, and for measures to prevent future occurrences. Any potential security could also result in increased costs associated with liability for assets or information, repairing system that may have been caused by such , incentives offered to Clients or other business partners in an effort to maintain our business relationships after a , and implementing measures to prevent future occurrences, including organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third-party experts and consultants. While we maintain insurance covering certain security and privacy and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational that could result from a security .
We outsource important aspects of the storage and transmission of Client and member information, and thus rely on third parties to manage functions that have material cybersecurity risks. We attempt to address these risks by requiring outsourcing subcontractors who handle Client and member information to sign business associate agreements and/or data processing agreements contractually requiring those subcontractors to adequately safeguard personal health data to the same extent that applies to us and in some cases by requiring such outsourcing subcontractors to undergo third-party security examinations. In addition, we periodically hire third-party security experts to assess and test our security posture. However, we cannot assure you that these contractual measures and other safeguards will adequately protect us from the risks associated with the storage and transmission of Client and members’ proprietary and protected health information.
If federal or state regulatory authorities or private litigants consider any portion of these statements to be untrue, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims, and complying with regulatory or court orders. For example, we have been subject to litigation alleging improper disclosure and/or use of PII and PHI. We also engage in digital marketing which has come under additional scrutiny by the FTC and state regulators. If our practices are deemed to have been unlawful or deceptive or potentially a of FTC requirements, it could lead to significant liabilities and consequences including, without , costs of responding to , , including class action suits, settling , complying with regulatory or court orders, and managing public relations and Client and member associated with such . For example, see Note 19. “Legal Matters,” to the consolidated financial statements for additional information regarding the settlement and consent order entered into with the FTC and the related putative class-action , which have resulted in certain changes to the operation of the BetterHelp business.
While we obtain consent from or on behalf of these individuals to send text messages, federal or state regulatory authorities or private litigants may claim that the notices and disclosures we provide, form of consents we obtain, or our SMS texting practices, are not adequate. These SMS texting campaigns are potential sources of risk for our company since they are governed by the Telephone Consumer Protection Act, which allows for private right of action and class action lawsuits and is enforced by the Federal Communications Commission. Numerous class action suits under federal and state laws have been filed against companies that conduct SMS texting programs, with many resulting in multi-million-dollar settlements for the plaintiffs. Any such future litigation against us could be costly and time-consuming to defend.
Further, there are numerous foreign laws, regulations and directives regarding privacy and the collection, storage, transmission, use, processing, disclosure, and protection of PII and other personal or customer data, the scope of which is continually evolving and subject to differing interpretations. We must comply with such laws, regulations, and directives and we may be subject to significant consequences, including penalties and fines, for our failure to comply. Failure to comply with the requirements of the GDPR and the applicable national data protection laws of the EU member states may result in fines of up to €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, and other administrative penalties. To comply with the data protection rules imposed by the GDPR we may be required to put in place additional mechanisms to ensure compliance. In addition, privacy laws are developing quickly in other jurisdictions where we operate, which impose similar accountability, transparency, and security obligations. These additional privacy law obligations may be onerous and affect our business, financial condition, results of operations, and prospects.
In addition, recent legal developments in Europe have created complexity and compliance uncertainty regarding certain transfers of information from the EU to the U.S. If one or more of the legal bases for transferring PII from Europe to the U.S. is invalidated, or if we are unable to transfer PII between and among countries and regions in which we operate, it could affect the manner in which we provide our services or could adversely affect our financial results. Furthermore, any failure, or perceived failure, by us to comply with or make effective modifications to our policies, or to comply with any federal, state, or international privacy, data-retention or data-protection-related laws, regulations, orders, or industry self-regulatory principles could result in proceedings or actions against us by governmental entities or others, a loss of customer confidence, damage to our brand and reputation, and a loss of customers, any of which could have an effect on our business.
Finally, federal, state, and foreign legislative or regulatory bodies may enact new or additional laws and regulations concerning privacy, data-retention, and data-protection issues, including laws or regulations mandating disclosure to domestic or international law enforcement bodies, which could adversely impact our business, our brand, or our reputation with customers. For example, some countries have adopted laws mandating that PII regarding customers in their country be maintained solely in their country. Having to maintain local data centers and redesign product, service, and business operations to limit PII processing to within individual countries could increase our operating costs significantly.
Changes to consumer privacy laws could adversely affect our ability to market our offerings effectively and may require us to change our business practices or expend significant amounts on compliance with such laws.
We rely on a variety of direct marketing techniques, including email marketing, online advertising and direct mailings. Any further restrictions in laws such as the CAN-SPAM Act, the Telephone Consumer Protection Act, the Do-Not-Call-Implementation Act, applicable Federal Communications Commission telemarketing rules (including the declaratory ruling affirming the blocking of unwanted robocalls), the FTC Privacy Rule, Safeguards Rule, Consumer Report Information Disposal Rule, Telemarketing Sales Rule, Canada’s Anti-Spam Law and various U.S. state laws, or new federal or state laws and regulations on marketing and solicitation or international privacy, e-privacy, and anti-spam laws that govern these activities could adversely affect the continuing effectiveness of email, online advertising and direct mailing techniques and could force further changes in our marketing strategy. In particular, these laws may require us to make disclosures regarding our privacy and information sharing practices, safeguard and protect the privacy of such information, and in some cases, provide customers the opportunity to “opt out” of the use of their information for certain purposes, any of which could limit our ability to leverage existing and future databases of information or require us to develop alternative marketing strategies, any of which could have a material effect on our financial condition, results of operations, and cash flows.
We must comply with U.S. federal, state, and foreign requirements regarding notice and consent to obtain, use, share, transmit and store certain personal information. Furthermore, we may face conflicting obligations arising from the potential concurrent application of laws of multiple jurisdictions. In the event that we are not able to reconcile such obligations, we may be required to change business practices or face liability or sanction.
