Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - INNV

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors, “Risks Related to Regulation.”

Federal and State Regulation of PACE Providers

We are subject to a complex array of federal and state laws, regulations, and guidance, including legal requirements directly applicable to PACE providers as well as Medicare and Medicaid laws and regulations. These laws and guidance relate to our organizational structure, governance, fiscal soundness, marketing activities, participant enrollment and disenrollment, charges to participants, provision of healthcare and other services to participants, care planning activities, service delivery settings and maintenance of centers, participant rights, employment and contractual arrangements with healthcare providers and other staff, quality assessment and performance improvement activities, participant grievances and appeals, medical records documentation, compliance program activities, and other aspects of our operations and financing. As a PACE provider that provides qualified prescription drug coverage, we are also subject to Medicare laws, regulations, and requirements applicable to Medicare Part D plan sponsors.

The regulations and contractual requirements applicable to PACE providers are complex and subject to change, making it necessary for us to invest significant resources in complying with these requirements. Scrutiny through federal and state government audits, oversight and enforcement and the highly technical regulatory scheme in which we operate require us to allocate significant resources to our compliance efforts. In addition, new centers that we may acquire in the future may have less developed compliance and quality infrastructures, which may require us to allocate additional resources to making any required enhancements.

CMS and state regulatory authorities regularly audit our performance to determine our compliance with CMS’s regulations and our contracts with CMS and state authorities, and to assess the quality of the services we provide to our participants. Such audits have in the past, and may in the future, result in the identification of deficiencies in connection with our compliance with regulatory requirements, participant quality of care, care plan development and implementation, grievance and appeal processes, clinicians acting outside of their scope of practice, and other issues. See Item 1A. Risk Factors, “Risks Related to Regulation” .

Licensing Laws

We, our healthcare professionals, and our centers are subject to various federal, state and local licensure and certification requirements in connection with our provision of healthcare and other services. Specifically, in some of the states in which we operate, we are required to maintain licensure or certification as an adult day health center, home health or home care provider, diagnostic and treatment center, pharmacy provider, clinical laboratory and/or other type of facility, and our affiliated physicians and other clinicians also must be licensed or certified, as applicable, in the states in which they are providing services. In addition, certain of the states where we currently operate regulate the operations and financial condition of risk bearing providers and impose capital requirements, licensing or certification, governance controls, and other obligations. In addition to state requirements, we, our centers, and our healthcare professionals are in some cases subject to federal licensing and certification requirements, such as certification or waiver under the Clinical Laboratory Improvement Amendments of 1988 for performing laboratory services and Drug Enforcement Administration registrations for prescribing, storing, and dispensing controlled substances.

Failure to comply with federal, state and local licensing and certification laws, regulations and standards could result in a variety of consequences, including cessation of our services, loss of our contracts, prior payments by payors being subject to recoupment, requirements to make significant changes to our operations, or civil or criminal penalties. We routinely take the steps we believe are necessary to retain or obtain all requisite licensure and operating authorities. While we endeavor to comply with federal, state and local licensing and certification laws and regulations and standards as we interpret them, the laws and regulations in these areas are complex, changing and often subject to varying interpretations. Any failure to

Table of Contents

satisfy applicable laws and regulations could have a material adverse impact on our business, results of operations, financial condition, cash flows and reputation.

Corporate Practice of Medicine

The laws and regulations relating to our operations vary from state to state, and some states in which we operate prohibit general business corporations, such as us, from practicing medicine, directly employing physicians, controlling physicians’ or other clinicians’ medical decisions, or engaging in some practices such as splitting professional fees with physicians or other clinicians. In certain states, we contract with physicians to provide healthcare services that are required to be provided by licensed physicians to comply with such requirements. While we believe that we are in substantial compliance with state laws prohibiting the corporate practice of medicine, regulatory agencies and other parties may assert that we could be engaged in the corporate practice of medicine. Further, many such state laws are often vague or have otherwise only been infrequently interpreted by courts or regulatory agencies and are subject to change. The consequences associated with violating corporate practice of medicine laws vary by state and may result in physicians or other clinicians being subject to disciplinary action, as well as forfeiture of revenues from government payors for services rendered. However, if allegations are successfully asserted before the appropriate judicial or administrative forums, we could be subject to adverse judicial or administrative penalties, certain of our contracts could be determined to be unenforceable, and we may be required to restructure our organization or our contractual arrangements. Any allegations or findings that we have violated these laws could have a material adverse impact on our reputation, business, results of operations and financial condition.

See Item 1A. Risk Factors, “Risks Related to Our Business—Laws regulating the corporate practice of medicine could restrict the manner in which we are permitted to conduct our business, and the failure to comply with such laws could subject us to penalties or require a restructuring of our business.”

Federal Anti-Kickback Statute

The federal Anti-Kickback Statute prohibits, among other things, knowingly and willfully offering, paying, soliciting, or receiving remuneration, directly or indirectly, in cash or kind, to induce or reward either the referral of an individual for, or the purchase, order or recommendation of, any good or service, for which payment may be made under federal and state healthcare programs such as Medicare and Medicaid. Court decisions have held that the statute may be violated even if only one purpose of remuneration is to induce referrals. In addition, a defendant need not have actual knowledge of, or the specific intent to violate, the federal Anti-Kickback Statute in order to have the requisite intent to support an Anti-Kickback Statute violation.

Federal criminal penalties for the violation of the federal Anti-Kickback Statute include imprisonment, fines and exclusion of the provider from future participation in federal healthcare programs, including Medicare and Medicaid. Violations of the federal Anti-Kickback Statute are punishable by imprisonment for up to ten years, fines of up to $100,000 per kickback or both. Larger fines can be imposed upon corporations under the provisions of the U.S. Sentencing Guidelines and the Alternate Fines Statute. Individuals and entities convicted of a criminal violation of the federal Anti-Kickback Statute are subject to mandatory exclusion from participation in Medicare, Medicaid, and other federal healthcare programs for a minimum of five years. Civil penalties for violation of the Anti-Kickback Statute include up to $120,816 in monetary penalties per violation, fines, or penalties of up to three times the total payments between the parties to the arrangement and potential exclusion from participation in Medicare and Medicaid. Any findings that we have violated these laws could have a material adverse impact on our business, results of operations, financial condition, cash flows, reputation and stock price.

The federal Anti-Kickback Statute includes statutory exceptions and regulatory safe harbors that protect certain arrangements. These exceptions and safe harbors are voluntary. To receive safe harbor protection, business transactions and arrangements must meet all the requirements of a safe harbor. When an arrangement does not satisfy a safe harbor, the arrangement must be evaluated upon all facts and circumstances, on a case-by-case basis in light of among other things, the parties’ intent, and the arrangement’s potential for abuse. Arrangements that do not satisfy a safe harbor may be subject to greater scrutiny by enforcement agencies.

Unlike the federal Anti-Kickback Statute, however, certain state laws may be applicable regardless of the payor source for the patient.

Table of Contents

Moreover, these state laws may contain exceptions and safe harbors that are different from and/or more limited than those of federal law and that may vary from state to state.

We have entered, and may continue to enter, into several arrangements that may not fit squarely within enumerated safe harbors and could potentially implicate the Anti-Kickback Statute if the requisite intent were present, such as:

•Joint Ventures. We may enter other joint ventures with providers and payors in the future. The Office of Inspector General (the “OIG”) of the Department of Health and Human Services (“HHS”) has warned healthcare entities in the past that certain joint venture relationships have a potential for abuse. For example, we believe that these investments are offered and made by us on a fair market value basis and provide returns to the investors in proportion to their actual investment in the venture.

•Discounts. Our centers sometimes acquire certain items and services at a discount that may be reimbursed by a federal healthcare program. We endeavor to structure our vendor contracts that include discount or rebate provisions to comply with the federal Anti-Kickback Statute safe harbor for discounts.

•Sales Force and Participant Recruitment. We employ our own sales force and attempt to meet the Anti-Kickback safe harbor for bona fide employment.

As noted in the examples above, we have endeavored to structure our business arrangements to fit within applicable federal Anti-Kickback Statute safe harbors and to otherwise operate in material compliance with the federal Anti-Kickback Statute and state analogs. Many of our arrangements are structured to provide for compensation that is fair market value for services actually rendered and in a manner that does not reflect the volume or value of referrals generated between the parties. In structuring our relationships with providers, including our physician partners, and other healthcare entities, we endeavor to comply with the regulatory requirements of such safe harbors and exceptions.

On January 19, 2021, the OIG issued regulations under the Anti-Kickback Statute that added new safe harbors and modified existing safe harbors that protect certain payment practices and business arrangements from sanctions under the Anti-Kickback Statute in order to remove potential barriers to more effective coordination and management of patient care and delivery of value-based care. These new and modified value-based care safe harbors may allow our business to pursue new value-based arrangements with safe harbor protections under the Anti-Kickback Statute. However, compliance with these new Anti-Kickback Statute safe harbors is complex and, to the extent that one of our value-based arrangements does not squarely fit within the relevant safe harbors, it could be subject to greater scrutiny by enforcement agencies.

Federal Self-Referral Prohibition

The federal Ethics in Patient Referral Act (“Stark Law”) generally prohibits a physician who has (or whose immediate family member has) a financial relationship with certain types of entities from making referrals to that such entities for “designated health services” if payment for the services may be made under Medicare or Medicaid. “Designated health services” include clinical laboratory services, inpatient and outpatient hospital services, physical and occupational therapy services, outpatient speech-language pathology services, certain radiology services, radiation therapy services and supplies, durable medical equipment and supplies, parenteral and enteral nutrients equipment and supplies, prosthetics, orthotics and prosthetic devices and supplies, home health services, and outpatient prescription drugs.

Providers are prohibited from billing Medicare and Medicaid for services related to a prohibited referral and a provider that has billed for prohibited services is obligated to notify and refund the amounts collected from the Medicare program or to make a self-disclosure to CMS under its Self-Referral Disclosure Protocol. Penalties for violation of the Stark Law include denial of payment, recoupment, refunds of amounts paid in violation of the law, exclusion from the Medicare or Medicaid programs, and substantial civil monetary penalties ($29,899 per prohibited item or service and $199,338 if there is a circumvention scheme; penalty amounts reflect current 2023 levels and are adjusted for inflation from time to time).

Table of Contents

Claims filed in violation of the Stark Law may be deemed false claims under the FCA. In addition to the Stark Law, various states in which we operate have adopted their own self-referral prohibition statutes.

In parallel with OIG’s regulations on value-based care discussed above, on January 19, 2021, CMS issued a sweeping set of regulations that introduce significant new value-based terminology and exceptions to the Stark Law, including new exceptions for certain remuneration exchanged between or among eligible participants in value-based arrangements. These exceptions and their various requirements apply based on the level of risk assumed by the arrangement’s participants. To the extent that we rely on the new value-based exceptions to the Stark Law for our value-based arrangements, we intend to fully comply with such safeguards. However, if we were to be found as out of compliance with such exceptions, we could be subject to penalties, as discussed above.

The False Claims Act

Among other things, the FCA authorizes the imposition of up to three times the government’s damages and significant per claim civil penalties on any “person” (including an individual, organization or company) who, among other acts:

•knowingly presents or causes to be presented to the federal government a false or fraudulent claim for payment or approval;

•knowingly makes, uses or causes to be made or used a false record or statement material to a false or fraudulent claim;

•knowingly makes, uses or causes to be made or used a false record, report or statement material to an obligation to pay the government, or knowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the federal government; or

•conspires to commit the above acts.

The federal government has used the FCA to prosecute a wide variety of alleged false claims and fraud allegedly perpetrated against Medicare and state healthcare programs, including but not limited to coding errors, billing for services not rendered, the submission of false cost or other reports, billing for services at a higher payment rate than appropriate, billing under a comprehensive code as well as under one or more component codes included in the comprehensive code, billing for care that is not considered medically necessary and false reporting of risk-adjusted diagnostic codes, encounter data or other information used to determine capitated payments. In addition, amendments to the FCA and Social Security Act impose severe penalties for the knowing and improper retention of overpayments from government payors. This could be relevant to our business the extent we receive payments on account of RAF determinations that are based on improper or erroneous records or reports. Failure to return overpayments could subject us to liability under the FCA, exclusion from government healthcare programs and penalties under the federal Civil Monetary Penalty Statute.

The penalties for a violation of the FCA may include per claim penalties, plus up to three times the amount of damages caused by each false claim, which can be as much as the amounts received directly or indirectly from the government for each such false claim. The maximum penalty has increased from $27,018 to $27,894 per claim.

In addition to civil enforcement under the FCA, the federal government can use several criminal statutes to prosecute persons who are alleged to have submitted false or fraudulent claims for payment to the federal government. Generally, federal and state governments have made investigating and prosecuting healthcare fraud and abuse a priority. Any allegations or findings that we have violated the FCA could have a material adverse impact on our reputation, business, results of operations and financial condition.

States are becoming increasingly active in using their false claims laws to police the same activities listed above, particularly with regard to capitated government-sponsored healthcare programs, such as Medicaid managed care and PACE. Under Section 6031 of the Deficit Reduction Act of 2005, as amended, if a state enacts a false claims act that is at least as stringent as the

Table of Contents

federal statute and that also meets certain other requirements, the state will be eligible to receive a greater share of any monetary recovery obtained pursuant to certain actions brought under the state’s false claims act. As a result, more states are expected to enact laws that are similar to the federal FCA in the future along with a corresponding increase in state false claims enforcement efforts.

For additional information regarding allegations against us under Federal and State FCA statutes, see Item 1A. Risk Factors, “Risks Related to Our Business—”

Civil Monetary Penalties Statute

The Civil Monetary Penalties Statute, 42 U.S.C. § 1320a-7a, authorizes the imposition of civil monetary penalties, assessments and exclusion against an individual or entity based on a variety of prohibited conduct, including, but not limited to:

•presenting, or causing to be presented, claims, reports or records relating to payment by Medicare, Medicaid or other government payors that the individual or entity knows or should know are for an item or service that was not provided as reported, is false or fraudulent or was presented for a physician’s service by a person who knows or should know that the individual providing the service is not a licensed physician, obtained licensure through misrepresentation or represented certification in a medical specialty without in fact possessing such certification;

•offering remuneration to a federal healthcare program beneficiary that the individual or entity knows or should know is likely to influence the beneficiary to order or receive healthcare items or services from a particular provider, unless an exception applies;

•arranging contracts with or making payments to an entity or individual excluded from participation in the federal healthcare programs or included on CMS’s preclusion list;

•violating the federal Anti-Kickback Statute;

•making, using or causing to be made or used a false record or statement material to a false or fraudulent claim for payment for items and services furnished under a federal healthcare program;

•making, using or causing to be made any false statement, omission or misrepresentation of a material fact in any application, bid or contract to participate or enroll as a provider of services or a supplier under a federal healthcare program; and

•failing to report and return an overpayment owed to the federal government.

We could be exposed to a wide range of allegations to which the federal Civil Monetary Penalty Statute would apply. We perform monthly checks on our employees and certain affiliates and vendors using government databases to confirm that these individuals have not been excluded from federal programs or otherwise ineligible for payment. We have also implemented processes to ensure that we do not make payments to contracted or noncontracted providers listed on CMS’s preclusion list nor make payments for drugs prescribed by individuals on the preclusion list. However, should an individual or entity be excluded, on the preclusion list, or otherwise ineligible for payment and we fail to detect it, a federal agency could require us to refund amounts attributable to all claims or services performed or sufficiently linked to such individual or entity. Due to this area of risk and the possibility of other allegations being brought against us, we cannot foreclose the possibility that we could face allegations of noncompliance with the Civil Monetary Penalty Statute that have the potential for a material adverse impact on our business, results of operations and financial condition.

Privacy and Security

HIPAA requires covered entities, and the business associates with whom such covered entities contract for services involving the use or disclosure of protected health information to provide certain protections to their patients or participants and their health information. Through our various service offerings, the Company acts primarily as a covered entity under HIPAA but may also act as a business associate of other covered entities. The HIPAA privacy and security regulations extensively regulate the use and disclosure of PHI and require covered entities and their business associates, to develop and maintain policies and procedures and implement and maintain administrative, physical, and technical safeguards to protect

Table of Contents

the security of such information. These regulations also provide our participants with substantive rights with respect to their health information.

The HIPAA privacy and security regulations also require covered entities to enter into written agreements with their business associates. Covered entities may be subject to fines and penalties for, among other activities, failing to enter into a business associate agreement where required by law or as a result of a business associate violating HIPAA. Business associates are also directly subject to liability under certain HIPAA privacy and security regulations. In instances where we act as a business associate to a covered entity, there is the potential for additional liability beyond our status as a covered entity.

Covered entities must notify affected individuals of breaches of unsecured PHI without unreasonable delay but no later than 60 days after discovery of the breach. Reporting must also be made to the HHS Office for Civil Rights (“OCR”) and, for breaches of unsecured PHI involving more than 500 residents of a state or jurisdiction, to the media in accordance with HIPAA requirements. All impermissible uses or disclosures of unsecured PHI are presumed to be breaches unless an exception to the definition of breach applies or the covered entity or business associate establishes that there is a low probability the PHI has been compromised.

Violations of HIPAA by covered entities and business associates, including, but not limited to, failing to implement appropriate administrative, physical and technical safeguards, have resulted in enforcement actions and in some cases triggered settlement payments or civil monetary penalties. Penalties for impermissible use or disclosure of PHI were increased by the HITECH Act by imposing tiered penalties of more than $50,000 (not adjusted for inflation) per violation and up to approximately $1.9 million (not adjusted for inflation) per year for identical violations. In addition, HIPAA provides for criminal penalties of up to $250,000 and ten years in prison, with the severest penalties for obtaining and disclosing PHI with the intent to sell, transfer or use such information for commercial advantage, personal gain or malicious harm. Further, state attorneys general may bring civil actions seeking either injunction or damages in response to violations of the HIPAA privacy and security regulations that threaten the privacy of state residents. There can be no assurance that we will not be the subject of an investigation (arising out of a reportable breach incident, audit or otherwise) alleging non-compliance with HIPAA regulations in our maintenance of PHI.

Additionally, many states also enacted laws that protect the privacy and security of confidential, personal and health information, which may be even more stringent than HIPAA and may add additional compliance costs and legal risks to our operations. Some state privacy and security laws overlap with federal law, some of which are preempted, in part by federal laws, whereas others are not. States have also passed privacy and security laws and regulations that apply across sectors and go beyond federal law, such as data security laws, secure destruction, Social Security number privacy, online privacy biometric information privacy, and data breach notification laws. Some of these state laws impose fines and penalties on violators and afford private rights of action to individuals who believe their personal information has been misused. Various state laws and regulations also require us to notify affected individuals in the event of a data breach involving personal information without regard to the probability of the information being compromised.

Looking ahead, it is possible that Congress could pursue a federal privacy bill to harmonize privacy regimes across states.

Various other federal and state laws restrict the use and protect the privacy and security of individually identifiable information, as well as employee personal information, including certain state laws modeled to some extent on the European Union’s General Data Protection Regulation. Federal and state consumer protection laws, including laws that do not on their face specifically address data privacy or security, have been applied to data privacy and security matters by a range of government agencies and courts.

Healthcare Reform Efforts

The U.S. federal and state governments continue to enact and consider many broad-based legislative and regulatory proposals that have had a material impact on or could materially impact various aspects of the healthcare system and our business, operating results and/or cash flows. In addition, state and federal budgetary shortfalls and constraints pose potential risks for our revenue streams. We cannot predict how government payors or healthcare consumers might react to federal and state healthcare legislation and regulation, whether already enacted or enacted in the future, nor can we predict

Table of Contents

what form such legislation or regulations will take. Some examples of legislative and regulatory changes impacting our business include:

•In March 2010, broad healthcare reform legislation was enacted in the United States through the ACA. There have since been numerous political and legal efforts to repeal, replace or modify the ACA, some of which have been successful, in part, in modifying the law. Although some provisions of the ACA have been and may be modified, the reforms, particularly those relating to Medicare and Medicaid programs, could continue to have an impact on our business. These and other provisions of the ACA remain subject to ongoing uncertainty due to developing regulations as well as continuing political and legal challenges at both the federal and state levels.

•There have in recent years been congressional efforts to move Medicaid from an open-ended program with coverage and benefits set by the federal government to one in which states receive a fixed amount of federal funds, either through block grants or per capita caps, and have more flexibility to determine benefits, eligibility or provider payments. If these types of changes are implemented in the future, we cannot predict whether the amount of fixed federal funding to the states will be based on current payment amounts, or if it will be based on lower payment amounts, which would negatively impact those states that expanded their Medicaid programs in response to the ACA.

•Legislation enacted in 2011 requires CMS to sequester or reduce all Medicare payments, including payments to PACE organizations, by two percent per year beginning on April 1, 2013.

•The Inflation Reduction Act of 2022 includes a few provisions intended to lower the costs of some drugs covered under Medicare Part D and to limit Medicare beneficiaries’ out-of-pocket spending under the Medicare Part D benefit. It is not yet clear what effect, if any, these legislative changes and any subsequent implementing regulations and guidance will have on our business.

•The “Medicare Program; Contract Year 2024 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, Medicare Cost Plan Program, and Programs of All-Inclusive Care for the Elderly” final rule (“PACE Final Rule”) set out a number of changes for PACE organizations, including (i) clarifying that CMS has enforcement discretion to impose civil monetary penalties or an intermediate sanction in the event CMS has made a determination that could lead to the termination of a PACE program; and (ii) reinstating the requirement that PACE organizations enter into written contracts with each outside organization, agency, or individual that furnishes administrative or care-related services not furnished directly by the PACE organization, including 25 medical specialties enumerated by the PACE Final Rule.

•The remaining provisions of the PACE final rule from 2024 were issued alongside the new PACE Final Rule for 2025. In this new final rule, CMS sets out changes which include but are not limited to: (i) implementation of past performance guidelines used to evaluate new PACE organization applications; (ii) personnel medical clearance guidelines; (iii) updates to service delivery timeframes by which participants must receive services; (iv) guidelines on IDT care coordination across all service settings with timeframes applied to external provider recommendations; (v) new content and documentation guidelines for participant plans of care; (vi) expansion of participant rights in care settings; and (vii) revisions to existing grievance process to align with standard determination request guidance.

CMS and state Medicaid agencies also routinely adjust the RAF which is central to payment under PACE and Managed Medicaid programs in which we participate. The monetary “coefficient” values associated with diseases that we manage in our population are subject to change by CMS and state agencies. Such changes could have a material adverse effect on our financial condition. See Item 1A. Risk Factors, “Risks Related to Our Business — Our records and submissions to government payors may contain inaccurate or unsupportable information regarding risk adjustment scores of participants, which could cause us to overstate or understate our revenue and subject us to payment obligations or penalties.”

Other Regulations

Our operations are subject to various state hazardous waste and non-hazardous medical waste disposal laws. These laws do not classify as hazardous most of the waste produced from medical services. Occupational Safety and Health Administration regulations require employers to provide workers who are occupationally subject to blood or other potentially infectious materials with prescribed protections. In addition, employers

Table of Contents

are required to provide or employ hepatitis B vaccinations, personal protective equipment and other safety devices, infection control training, post-exposure evaluation and follow-up, waste disposal techniques and procedures and work practice controls. Employers are also required to comply with various record-keeping requirements.

Federal and state law also governs the purchase, handling, and dispensing of controlled substances by physicians and other clinicians. If we are unable to maintain our registrations this could limit or affect our ability to purchase, handle, or dispense controlled substances and other violations of these laws could subject us to criminal or other sanctions. In addition, certain laws may apply to activities of our affiliated physicians and clinicians. For example, the Prescription Drug Marketing Act governs the provision of drug samples to physicians and other clinicians, and physicians and other clinicians are required to report relationships they have with the manufacturers of drugs, medical devices and biologics through the Open Payments Program database.

Clinical laboratories may be subject to oversight by CMS and state regulators, including the Eliminating Kickbacks in Recovery Act of 2018. If our laboratories or laboratories that we partner with are not in compliance with the applicable CMS or state laws or regulations, they could be subject to enforcement action, which could negatively affect our business.

We have in the past and continue to intend to grow our business through acquisitions in the states in which we currently operate or in new states that we seek to enter. Several states, including California, have adopted laws focused on competition, quality, access, and cost that authorize state agencies to review and approve healthcare transactions, and many other states, including Pennsylvania, are considering similar legislation. California is also considering additional legislation that would provide the California attorney general with approval authority with respect to certain health care transactions.

Any allegations or findings that we or our providers have violated any of these laws or regulations could have a material adverse impact on our reputation, business, results of operations and financial condition. Certain states in which we do business or may desire to do business in the future have certificate of need programs regulating the establishment or expansion of healthcare facilities, including our participant centers. These regulations can be complex and time-consuming to ensure compliance with. Any failure to comply with such regulatory requirements could adversely impact our business, results of operations and financial condition.

Competition

The U.S. healthcare industry is highly competitive. We compete directly with national, regional and local providers of healthcare for participants and clinical providers. We also compete with payors and other alternate managed care programs for participants. Of these providers, there are many other companies and individuals currently providing healthcare services, many of which have been in business longer and/or have substantially more resources. Given the regulatory environment, there may be high barriers to entry for PACE providers; however, since there are relatively modest capital expenditures required for providing healthcare services, there are less substantial financial barriers to entry in the healthcare industry generally. Other companies could enter the healthcare industry in the future and divert some or all of our business. Our principal competitors for dual-eligible seniors vary considerably in type and identity by market. Our growth strategy and our business could be adversely affected if we are not able to compete efficiently, including penetrating existing markets or new markets, recruit qualified physicians or if we experience significant participant attrition to our competitors. See Item 1A. Risk Factors—Risks Related to Our Business—“The healthcare industry is highly competitive and, if we are not able to compete effectively, our business could be harmed.”

We believe the principal competitive factors for serving adults dually-eligible for Medicare and Medicaid and who meet nursing home eligibility criteria include: participant experience, quality of care, health outcomes, total cost of care, brand identity and trust in that brand.

Seasonality

Our business experiences some variability depending upon the time of year. Medical costs will vary seasonally depending on a number of factors, but most significantly the weather. Certain illnesses, such as the influenza virus and COVID-19, are far more prevalent during colder months of the year, which results in an increase in medical expenses during these time periods. We therefore see higher levels of per-participant medical costs in our second and third fiscal quarters. There is also increased variability of participant enrollment during the open enrollment period, which occurs during our third fiscal quarter.

Table of Contents

In addition, the retrospective capitation payments we receive for each participant are determined by a participant’s RAF score, which is calculated twice per year and is based on the evolving acuity and chronic conditions of a participant. We estimate and accrue for the expected true-up payments of our participants. Though no assurances can be made in the future, we have historically used our best estimate for accruing for this payment, and we received net positive true-up payments during the fiscal years ended June 30, 2024 and 2023. Historically, these true-up payments typically occur between May and August, but the timing of these payments is determined by CMS, and we have neither visibility nor control over the timing of such payments.

Human Capital Resources

As of June 30, 2024, we had approximately 2,350 employees, including over 1,300 clinical professionals (excluding contract labor). Approximately 1% of our workforce is represented by a union, all of which are located in Pennsylvania. Collective bargaining commenced in March 2024. We are unable to predict the terms or timing of any resulting collective bargaining agreement.

We believe our efforts in managing our workforce have been effective, evidenced by improved retention, lower turnover, and employee satisfaction during fiscal year 2024.

Our people are our product at InnovAge, and their commitment to our participants propels our mission of enabling seniors to age at home, with dignity, for as long as is safely possible. We believe that our employees are drawn to this mission and our values, which is why our voluntary retention rate was 68% over fiscal year 2024. Additionally, in our most recent employee engagement survey conducted in February 2024, 75% of our employees indicated that they feel engaged by their work at InnovAge.

Attracting and retaining top talent is critical to the success of InnovAge's mission and one of the highest priorities to leadership. To keep leadership informed of the health of our employee base, we report weekly on key hiring and retention metrics.

We continue to evaluate talent needs at the senior management level, aiming to hire ahead of the curve as the business evolves and to assess and respond to any gaps in our capabilities.

Diversity

At InnovAge, we strive to be a reflection of the diverse communities that we serve. We are steadfastly dedicated to fostering an atmosphere that champions diversity, equity, and inclusion throughout all sectors of InnovAge. Our commitment remains in building a culture where individual distinctions are not just acknowledged but deeply valued.

As part of our continuous journey to engage and understand our teams better, we plan to conduct our annual engagement survey during September 2024.

As of June 30, 2024, our employed workforce was comprised of individuals who identified as women – 76%, and minorities – 52%. Four of eleven members of our leadership team identify as women as of June 30, 2024.

Training and Development

We aim to provide our employees opportunities to grow and advance in their careers at InnovAge with learning and development programs. Each year we conduct soft skills training for managers and supervisors, the content of which is informed by gap assessment surveys. A quarterly training series for front-line leaders enables them to develop their management skills. Our clinical leaders also conduct separate physician leadership trainings quarterly, with a new topic for each installment (e.g., email / phone etiquette).

We also conduct a periodic training needs assessment surveys to hear directly from employees and managers where they think they could use more support and learning content in the coming year. These assessment surveys, allow the Company to develop trainings tailored to the most prevalent needs identified by our employees.

Implications of being an emerging growth company and a smaller reporting company

We qualify as an “emerging growth company” as defined in the Jumpstart Our Business Startups Act of 2012 (the “JOBS Act”). We will remain an emerging growth company until the earlier of (1) June 30, 2026, (2) the last day of the

Table of Contents

fiscal year in which we have total annual gross revenue of at least $1.235 billion, (3) the date on which we are deemed to be a large accelerated filer or (4) the date on which we have issued more than $1.0 billion in non-convertible debt securities during the prior three-year period. Additionally, we qualify as a “smaller reporting company,” and even after we no longer qualify as an “emerging growth company,” we may still qualify as a “smaller reporting company” based on the aggregate worldwide market value of common equity securities held by non-affiliates assessed on an annual basis and measured as of the last business day of our most recently completed second fiscal quarter.

As an emerging growth company and a smaller reporting company, we may take advantage of reduced reporting requirements that are otherwise applicable to public companies. These provisions include, but are not limited to:

•not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act of 2002, as amended (the “Sarbanes-Oxley Act”);

•a requirement to present only two years of audited financial statements, plus unaudited condensed consolidated financial statements for any interim period and related discussion in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations”;

•reduced disclosure obligations regarding executive compensation in our periodic reports, proxy statements and registration statements; and

•exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved.

In addition, under the JOBS Act, emerging growth companies can delay adopting new or revised accounting standards until such time as those standards apply to private companies. We intend to take advantage of the longer phase-in periods for the adoption of new or revised financial accounting standards under the JOBS Act until we are no longer an emerging growth company. Our election to use the phase-in periods permitted by this election may make it difficult to compare our financial statements to those of non-emerging growth companies and other emerging growth companies that have opted out of the longer phase-in periods permitted under the JOBS Act and who will comply with new or revised financial accounting standards. If we were to subsequently elect instead to comply with public company effective dates, such election would be irrevocable pursuant to the JOBS Act.

Available Information

Our internet website is www.innovage.com.

Our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and any amendments to those reports are available free of charge through our website at www.investor.innovage.com as soon as reasonably practicable after such material is electronically filed with, or furnished to, the SEC. Our SEC filings are also available to the public at the SEC’s website at www.sec.gov.

Item 1A. Risk Factors

Our business, results of operations, and financial condition are subject to numerous risks and uncertainties. You should carefully consider the following risk factors before making a decision to invest in our common stock. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that affect us. If any of the following risks occur, our business, financial condition, operating results and prospects could be materially and adversely affected. You should read these risk factors in conjunction with “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in Item 7 and our consolidated financial statements and related notes in Item 8 of this Annual Report.

Summary of Risk Factors

There are a number of risks related to our business, regulation, our indebtedness and our common stock that you should consider. Some of the principal risks related to our business include the following:

•Our growth strategy may not prove viable.

•Our growth strategy depends upon our ability to identify and complete acquisitions, joint ventures and other strategic partnerships. Our growth strategy involves identifying and successfully completing acquisitions, joint ventures and strategic partnerships, which involve numerous risks, including failure to consummate negotiated transactions, difficulties in successfully integrating the operations and personnel, navigating the necessary regulatory approval requirements and difficulties in entering new markets.

•If we are unable to attract new participants and retain existing participants, our revenue growth will be adversely affected. To increase our revenue, we plan to expand the number of centers and participants in our network, requiring recruitment and retention.

•Our overall business results have been and we expect will continue to be impacted by ongoing macroeconomic and industry-related challenges. Macroeconomic and industry challenges, including labor shortages, labor competition and high inflation, have impacted and we expect will continue to impact our business operations. High inflation has increased the cost of living, and consequently, wage pressure, which has contributed to an increasingly competitive labor market.

•We have faced, and continue to face inspections, reviews, audits and investigations under federal and state government programs and contracts. Our centers are subject to, and will continue to be subject, to future audits and we are unable to guarantee the outcomes.

•We are subject to legal proceedings, enforcement actions and litigation, malpractice and privacy disputes, which are costly and could materially harm our business. We are party to lawsuits and legal proceedings from various parties in the normal course of business. These matters are often expensive and disruptive to normal business operations.

•Under PACE contracts, we assume all of the risk that the cost of providing services will exceed our compensation. Most of our revenue was derived from capitation agreements with government payors in which we receive fixed PMPM fees. If, in aggregate, our

expenses exceed the underlying capitation payment received, we will not be able to fund operations and pursue growth.

•We have experienced and expect to continue experiencing increased costs and expenditures in the future. In fiscal year 2024, we continued several initiatives intended to lower our costs, however, we expect increased costs in the foreseeable future. We may not succeed in increasing our revenue sufficiently to improve our profit margins and if we are not able to execute or realize the benefits of our clinical value initiatives, our profitability could continue to decline.

•Our revenues and operations are dependent upon a limited number of government payors, particularly Medicare and Medicaid. When aggregating the revenue associated with Medicare and Medicaid by state, a majority of our revenue was derived from a limited number of government payors.

•Reductions in PACE reimbursement rates or changes in the rules governing PACE programs could have a material adverse effect on our financial condition and results of operations. As a result, our operations are dependent on government funding levels for PACE programs. Any changes that limit or reduce general PACE rates could have a material adverse effect on our business.

•Our records and submissions to government payors may contain inaccurate or unsupportable information regarding risk adjustment scores of participants, which could subject us to repayment obligations or penalties. The submission of erroneous data could result in inaccurate revenue and risk adjustment payments, which may be subject to correction or retroactive adjustment in later periods. CMS may audit PACE organizations’ risk adjustment data submissions. We could be required to refund a portion of the revenue that we received, which could have a material adverse effect on our business, results of operations, financial condition and cash flows.

•Renegotiation, non-renewal or termination of capitation agreements with government payors could have a material adverse effect on our business, results of operations, financial condition and cash flows. If we enter into, or amend, capitation contracts which include unfavorable economic terms, we could suffer losses. Some states in which we operate undergo periodic reconciliations with respect to enrollments that present a risk to our business.

•Allegations of failure and failure to adhere to complex government laws and regulations, have had and could in the future have a material adverse effect on our business, results of operations, financial condition, cash flows, reputation and stock price. Our operations are subject to extensive federal, state and local government laws and regulations. Allegations of violation, or actual violations of the legal requirements implicated by our business may have material adverse consequences on our business.

•Ignite Aggregator LP (an investment vehicle owned by certain funds advised by Apax Partners LLP) and funds affiliated with Welsh, Carson, Anderson & Stowe (together, our “Principal Shareholders”) control us. Our Principal Shareholders beneficially own approximately 83% of our common stock, which means that together they control the vote of all matters submitted to a vote of our stockholders, including the election of members of the Board of Directors of the Company (the “Board”) and all other corporate decisions. For such period of time as our Principal Shareholders beneficially own a majority of the voting power, they will have significant influence.

•Our operating results may fluctuate significantly in the future, which makes our future operating results difficult to predict and could cause such results to fall below any guidance, targets or goals we provide. If the guidance we provide falls short or we are unable to meet the expectations of analysts or investors, the trading price of our common stock could decline substantially.

Risks Related to Our Business

Our growth strategy may not prove viable, and we may not realize expected results therefrom.

Our growth strategy involves a number of risks and uncertainties, including that:

•we may be subject to sanctions as a result of audits and other regulatory processes and proceedings that could include temporary or permanent suspension of enrollments, debarment or exclusion from participation in federal health care programs, and the revocation of a center’s license and suspension or revocation of required attestations to open de novo centers, which may in turn result in participant attrition and preclude us from opening de novo centers and conducting tuck-in acquisitions. As a result of an ongoing audit of our center in Sacramento, California initiated in 2023 and the subsequent medical review of our center in San Bernardino, California, DHCS revoked the state-required attestations for a planned de novo center in Downey and for the de novo center we acquired in Bakersfield, California. There is no guarantee that such attestations will be reinstated or that similar situations will not occur in the future;

•we may not be able to successfully enter into contracts with government payors and/or other healthcare providers on terms favorable to us or at all. In addition, we compete for government payor relationships with other potential players, some of whom may have greater resources than we do. This competition has intensified due to the availability to seniors of other programs similar to PACE and the ongoing consolidation in the healthcare industry, which may increase our costs to pursue such opportunities;

•we may not be able to recruit or retain a sufficient number of new participants to execute our growth strategy or offset costs relating to recruiting new participants or opening de novo centers or executing acquisitions;

•we may not be able to hire sufficient numbers of physicians and other clinical staff, particularly in the current labor market characterized by heightened demand for healthcare personnel and labor shortages;

•when expanding our business into new states, we may be required to comply with laws and regulations that may differ from states in which we currently operate;

•we may face larger than expected costs and legal, community or other obstacles in the construction and opening of de novo centers, such as the revocation of state-required attestations, or expanding capacity in existing centers; and

•we may have difficulty identifying appropriate acquisition targets, be precluded from acquiring targets as a result of audits or sanctions or due to other legal restrictions (e.g. federal or state antitrust laws), may fail to satisfy closing conditions or make investments in acquisitions that we are unable to effectively integrate, involve associated risks or liabilities that we are unable to uncover in advance, or that require greater resources than anticipated and that could include deficient quality of service.

As an element of our growth strategy is to build de novo centers, in fiscal year 2024, we opened two de novo centers in the State of Florida. As we are in the early stages of operation of these two de novo centers in a new geography, there is no guarantee about the timing or our ability to enroll enough participants, hire and train enough skilled and non-skilled staff, develop necessary community relationships, and otherwise ramp up these centers to maturity.

In addition, as we grow our business and open or acquire new centers, we expect to continue to increase our headcount and to hire or contract with more physicians, nurses and other specialized medical personnel. We will need to continue to hire, train and manage additional qualified information technology, operations and marketing staff, and improve and maintain our technology and information systems to properly manage our growth. If our new hires perform poorly, if we

are unsuccessful in hiring, training, managing and integrating these new employees, if we are not successful in retaining our existing employees, or if we are unable to provide the care and services that our participants require in compliance with regulatory requirements, our business will be adversely affected.

Additional risks include, but are not limited to, our ability to effectively manage growth, process, store, protect and use personal data in compliance with governmental regulations and contractual obligations and manage our obligations as a provider of healthcare services under Medicare, Medicaid and PACE.

There can be no assurance that we will be able to successfully capitalize on growth opportunities, which will negatively impact our business, revenues, results of operations and financial condition.

Our growth strategy is partially dependent upon our ability to identify and successfully complete acquisitions, joint ventures and other strategic partnerships.

In December 2023, we acquired all of the issued and outstanding membership interests of two California-based PACE programs, ConcertoCare PACE of Bakersfield, LLC and ConcertoHealth PACE of Los Angeles, LLC (collectively, “Concerto”). In May 2024, we entered into a joint venture with Orlando Health with respect to the InnovAge Florida PACE – Orlando (“InnovAge Orlando”) center in Florida. We intend to continue pursuing relationships with key stakeholders, existing organizations and other care providers in order to form partnerships in target geographies.

However, acquisitions, joint ventures and other strategic partnerships, involve numerous risks, including failure to consummate negotiated transactions, difficulties in successfully integrating the operations and personnel, navigating the necessary regulatory approval requirements, including securing regulatory safe harbors necessary for healthcare related join ventures under the Anti-Kickback Statute, distraction of management while overseeing the transactions, and disruption of, our existing operations, difficulties in entering new markets in which we have no or limited direct prior experience, and difficulties in achieving the synergies we anticipated. For example, in 2023, CMS and DHCS initiated a routine audit of our Sacramento, California center. Subsequently, DHCS notified us it would also be conducting a targeted medical review of our center in San Bernardino, and that it would be suspending its state-required attestations in support of the planned de novo centers in California, including for one of the acquired centers in Bakersfield, California. Until such time as the attestations are reinstated, we are precluded from opening such center. In addition, we incur costs associated with potential acquisitions that we pursue or fail to close, including as a result of litigation related to a failed transaction. We also may need to expend resources to ensure target and acquired centers are operating in compliance with regulatory and contractual requirements, as well as any corrective action plans. Any failure to select suitable opportunities at fair prices, conduct appropriate due diligence, acquire and successfully integrate the acquired center, including particularly when acquired centers operate in new geographic markets, could materially and adversely impact our growth strategies, financial condition and results of operations.

These transactions may also cause us to significantly increase our interest expense, leverage and debt service requirements if we incur additional debt to pay for an acquisition or investment, issue common stock that would dilute our current stockholders’ percentage ownership or incur asset write-offs and restructuring costs and other related expenses that could have a material adverse impact on our operating results. Acquisitions, joint ventures and strategic investments also involve numerous other risks, including potential exposure to assumed litigation, as well as undetected internal control, regulatory or other issues, or additional costs not anticipated at the time the transaction was completed.

If we are unable to attract new participants and retain existing participants, our revenue growth will be adversely affected.

In order to support such growth, we must recruit and retain a sufficient number of new participants.

We are focused on frail, dual-eligible senior population and face competition from other healthcare providers and payors in the recruitment of potential participants. Therefore, we must demonstrate that our services provide a viable solution for potential participants. If we are unable to convince the frail, dual-eligible senior population of the benefits of the InnovAge Platform or if potential or existing participants prefer the healthcare provider model of one of our

competitors, we may not be able to effectively implement our growth strategy, which depends on our ability to attract new participants.

In addition participant enrollment for PACE is ongoing each month and requires states to verify eligibility, a process which can result in delays in enrollment. Since the national emergency and public health emergency declarations related to COVID-19 expired, we have experienced an increase in gaps of eligibility with redetermination applications. While participants continue to receive care and remain enrolled with us during this time, the effect of such delays temporarily halts Medicaid revenue related to any closed application and simultaneously increases our risk of revenue recovery. Even though our results of operations have not suffered a material adverse effect from these delays, there is no guarantee that further delays may not adversely impact our results.

Macroeconomic and industry challenges, including labor shortages, labor competition and high inflation, have impacted and we expect will continue to impact our business operations and our overall business results. The healthcare sector continues to experience a complex set of challenges in hiring additional professionals due to higher demand for healthcare services and systemic challenges related to workforce training and the pipeline of qualified professionals. Furthermore, high inflation has increased the cost of living, and consequently, wage pressure for healthcare professionals, which has contributed to an increasingly competitive labor market. We compete with other healthcare providers, primarily hospitals and other centers, in attracting physicians, nurses and medical staff to support our centers, and recruiting and retaining qualified management and support personnel responsible for the daily operations of each of our centers.

Additionally, on October 13, 2023, California passed into law California Senate Bill No. 525 (“SB 525”), which would raise the minimum wage for many California healthcare workers. SB 525 becomes effective when certain financial metrics within the State of California are met. Even though SB 525 is not yet effective and PACE centers are not covered by it, many of our contractors and other third-party providers are expected to be impacted by SB 525, and we believe that due to this and other macroeconomic factors, our California centers have received provider requests to increase rates to cover their increased costs. In addition, as a result of competition generated by SB 525, we have increased our wages for healthcare workers in the California market. In particular, if labor costs rise at an annual rate greater than our net annual consumer price index basket update from Medicare, our results of operations and cash flows will likely be adversely affected.

Cost of care and related cost per participant increased for fiscal year 2024 compared to 2023, partially as a result of increased salaries, wages and benefits associated with increased headcount, higher wage rates and other factors. Additionally, external provider costs increased in fiscal year 2024 compared to 2023 as a result of annual increases in assisted living and nursing facility unit cost and general medical inflation. To date, we believe that macroeconomic and industry conditions, including labor shortages and inflation, have not had a material effect on our operating results. However, there can be no assurance that continued challenges will not have an adverse impact on our operating results and financial condition.

During periods of high unemployment, governmental entities often experience budget deficits as a result of increased costs and lower than expected tax collections.

These audits require corrective actions and have resulted in adverse findings that have negatively affected and continue to affect our business, including our results of operations, liquidity, financial condition and reputation.

As a result of our PACE contracts with CMS and state government agencies, state licenses, and participation in Medicaid, we are regularly subject to, and will continue to be subject to, various routine and non-routine governmental inspections, reviews, audits, requests for information and investigations to verify our compliance with requirements of these programs and applicable laws and regulations, assess the quality of the services we are providing to our participants, and evaluate the accuracy of the risk adjustment data we have submitted to the government.

Based on deficiencies detected in the audits, CMS and regulatory authorities in the states of California and Colorado suspended new enrollments at our Sacramento center and our centers in Colorado. In addition, as a result of the enrollment sanctions, various states suspended our ability to open de novo centers or we committed to proactively pause steps with respect to planned de novo centers. Largely as a result of these sanctions and actions, our census decreased during the sanction period.

We were released from the enrollment sanctions in Colorado and California in 2023, and resumed enrollments in those states as well as resumed activities to open de novo centers in other states. In October 2023, CMS and the DHCS conducted a joint routine audit of our Sacramento center and DHCS is currently conducting a medical review of our San Bernardino center. In response to both of these matters, DHCS suspended its state-required attestations for our planned de novo centers in California. In April 2024, CMS officially closed its portion of the Sacramento audit. DHCS’s process is ongoing. Managing audits, even if we achieve favorable outcomes, is costly, time-consuming and diverts management’s attention from our business.

Our centers will continue to be subject to federal and state audits, including our centers that have undergone the recent audits described above, as well as the centers that did not and centers we open or acquire in the future.

In general, inspections, reviews, audits, requests for information or investigations with adverse findings, and in particular the audits described above, have resulted in and may further result in:

•temporary or permanent enrollment sanctions in the affected center(s), as was the case with our Sacramento, California center and our centers in the State of Colorado;

•refunding amounts we have been paid by the government;

•state or federal agencies imposing corrective action plans, fines, penalties, training, policies and procedures, monitoring, and other requirements;

•temporary suspension of payments;

•debarment or exclusion from participation in federal healthcare programs;

•self-disclosure of violations to applicable regulatory authorities;

•damage to our reputation;

•the revocation of a center’s license or suspension of state attestations to open de novo centers; and

•loss of certain rights under, or termination of, our contracts with government payors.

Any of the results noted above could have further material adverse effects on our business and operating results. Furthermore, the legal, document production and other costs associated with complying with these inspections, reviews, audits, requests for information or investigations is significant. If we are unable to effectively remediate the deficiencies raised by any audits, implement corrective action plans, or otherwise satisfy the regulators’ concerns, we could be subject to new sanctions, and our business, financial results and operations could be adversely impacted.

We are party to lawsuits and legal proceedings in the normal course of business from participants, employees, or other third parties for various actions. These matters are often expensive and disruptive to normal business operations. We face

and may in the future face allegations, lawsuits, including class actions, and regulatory inquiries, requests for information, audits and investigations regarding care and services provided to participants, the FCA, data privacy, security, labor and employment, consumer protection or intellectual property. We are currently party to a putative class action complaint alleging violations of the Securities Act and the Exchange Act for making allegedly inaccurate and misleading statements and omissions in connection with our IPO, and a stockholder lawsuit asserting derivative claims for breach of fiduciary duty generally relating to alleged failures by the defendants to take remedial actions to address the matters that resulted in sanctions by CMS at certain of our centers and alleged misstatements in our public filings relating to those matters. We are currently unable to predict the outcome of these matters. See Part I, Item 3 “Legal Proceedings” for more information.

Litigation and regulatory proceedings are protracted and expensive, and the results are difficult to predict. Certain of these matters include claims for substantial or indeterminate amounts of damages and may include claims for injunctive relief. Additionally, our litigation costs are and will continue to be significant. Adverse outcomes with respect to any of the legal proceedings described above or other litigation may result in significant settlement costs or judgments, penalties, fines and sanctions. Managing legal proceedings, regulatory inquiries, litigation and audits, even if we achieve favorable outcomes, is costly, time-consuming and diverts management’s attention from our business.

The results of regulatory proceedings, investigations, inquiries, litigation, claims, and audits cannot be predicted with certainty, and determining reserves for pending litigation and other legal, regulatory and audit matters requires significant judgment and assumptions. There can be no assurance that our expectations will prove correct, and even if these matters are resolved in our favor or without significant cash settlements, these matters, and the time and resources necessary to litigate or resolve them, cause harm to our reputation, business, financial condition, results of operations and the market price of our common stock.

We are also subject to lawsuits under the FCA and comparable state laws for submitting allegedly fraudulent, inadequately supported or otherwise inappropriate bills for services to the Medicare and Medicaid programs. These lawsuits, which may be initiated by government authorities as well as private party relators, can involve significant monetary damages, fines, attorney fees and the award of bounties to private plaintiffs who successfully bring these suits, as well as to the government programs. In recent years, government oversight and law enforcement have become increasingly active and aggressive in investigating and taking legal action against potential fraud and abuse.

In July 2021, the Company received a civil investigative demand from the Attorney General for the State of Colorado under the Colorado Medicaid False Claims Act. The demand requests information and documents regarding Medicaid billing, patient services and referrals in connection with the Company’s PACE program in Colorado. We are currently unable to predict the outcome of this investigation.

In February 2022, the Company received a civil investigative demand from the Department of Justice (“DOJ”) under the Federal False Claims Act on similar subject matter. The demand requests information and documents regarding audits, billing, orders tracking, and quality and timeliness of patient services in connection with the Company’s PACE programs in the states of California, Colorado, New Mexico, Pennsylvania, and Virginia. In December 2022, the Company received a supplemental civil investigative demand from the DOJ requesting supplemental information on the same matters. We are currently unable to predict the outcome of this investigation.

Furthermore, our business exposes us to potential medical malpractice, professional negligence or other related actions or claims that are inherent in the provision of healthcare services. These claims, whether or not they have merit, could cause us to incur substantial costs, and could place a significant strain on our financial resources, divert the attention of management from our core business, harm our reputation and adversely affect our ability to attract and retain participants, any of which could have a material adverse effect on our business, financial condition and results of operations.

Although we maintain third-party professional liability insurance coverage, it is possible that claims against us may exceed the coverage limits of our insurance policies. Even if any professional liability loss is covered by an insurance policy, these policies typically have substantial deductibles for which we are responsible. Professional liability claims in excess of applicable insurance coverage could have a material adverse effect on our business, financial condition and results of operations. In addition, any professional liability claim brought against us, whether or not they have merit, could result in an increase of our professional liability insurance premiums. Insurance coverage varies in cost and can be difficult to obtain, and we cannot guarantee that we will be able to obtain insurance coverage in the future on terms acceptable to us or at all. If our costs of insurance and claims increase, then our earnings could decline.

Under our PACE contracts, we assume all of the risk that the cost of providing services will exceed our compensation.

Approximately 99.9% and 99.8% of our revenue for the years ended June 30, 2024 and 2023, respectively, was derived from capitation agreements with government payors in which we receive fixed PMPM fees. While there are variations specific to each agreement, we generally contract with government payors to receive a fixed PMPM fee to provide or manage all healthcare services a participant may require while assuming financial responsibility for the totality of our participants’ healthcare expenses. This type of contract is often referred to as an “at-risk” or a “capitation” contract.

To the extent that our participants require more care than is anticipated and/or the cost of care increases, aggregate fixed capitation payments may be insufficient to cover the costs associated with treatment. The risk pool of our population became more acute beginning in fiscal year 2023, as we were not able to replenish our population mix with newer, lower-acuity participants due to enrollment sanctions. As a result of this dynamic, together with increased salaries, wages and benefits, increased fleet and contract transportation costs, annual increases in assisted living and nursing facility unit cost and general medical inflation, our external provider costs and cost of care, excluding depreciation and amortization, represented approximately 83% of our revenue in the fiscal year 2024. If medical costs and expenses exceed the underlying capitation payment received, we will not be able to correspondingly increase our capitated payment and we could suffer losses with respect to such agreements.

Changes in our anticipated ratio of medical expense to revenue can significantly impact our financial results. Accordingly, the failure to adequately predict and control medical costs and expenses, execute or realize the benefits of our clinical value initiatives, and to make reasonable estimates and maintain adequate accruals for incurred but not reported claims, could have a material adverse effect on our business, results of operations, financial condition and cash flows. Additionally, the Medicare and Medicaid expenses of our participants may be outside of our control in the event that participants take certain actions that increase such expenses, such as emergency room visits or preventable hospital admissions.

Historically, our medical costs and expenses as a percentage of revenue have fluctuated. Factors that may cause medical expenses to exceed estimates include:

•the health status of participants requiring higher levels of care, such as nursing home care or higher incidents of hospitalization;

•higher than expected utilization of new or existing healthcare services;

•more frequent catastrophic medical cases (e.g. transplants);

•an increase in the cost of healthcare services and supplies, whether as a result of inflation, wage increases, purchases of vaccines and personal protective equipment as a result of a pandemic or epidemic, other health emergencies, or otherwise;

•emergence of new high-cost medications to treat conditions that are common in our population, such as lecanemab for Alzheimer’s Dementia;

•changes to mandated benefits or other changes in healthcare laws, regulations and practices;

•increased costs attributable to specialist physicians, hospitals and ancillary providers;

•changes in the demographics of our participants and medical trends;

•contractual or claims disputes with providers, hospitals or other service providers;

•the occurrence of catastrophes, health emergencies, including epidemics or pandemics or acts of terrorism; and

•the reduction of government payor payments.

We have experienced and expect to continue experiencing increased costs and expenditures in the future.

In fiscal year 2024, we continued several initiatives intended to lower certain of our costs, including limiting corporate staffing and certain other expenses, effecting a reduction in workforce, and optimizing working capital. However, we have made and expect to continue making significant investments in growing our business and increasing our participant base,

building capabilities to increase our sophistication as a payor to drive clinical value, improve outcomes, and manage cost trends, expanding our operations, hiring additional employees for growing or new centers, introducing or improving technology, and operating as a public company. As a result of these increased expenditures, we may not succeed in increasing our revenue sufficiently to improve our profit margins. We finance our operations principally from revenue from our participant services and the incurrence of indebtedness. We have encountered and will continue to encounter risks and difficulties frequently experienced by growing companies in rapidly changing and highly regulated industries, including increasing expenses as we continue to grow our business.

Our operating expenses have and we expect them to continue to increase over the next several years as we continue to hire additional personnel, expand our operations and infrastructure, and continue to provide services to an increasing number of participants. These investments may be more costly than we expect, and if we do not achieve the benefits anticipated from these investments, or if the realization of these benefits is delayed, our profitability could continue to decline. If our growth rate were to decline significantly or become negative, it could adversely affect our financial condition and results of operations. If we are not able to maintain positive cash flow in the long term, we may require additional financing, which may not be available on favorable terms or at all and/or which would be dilutive to our stockholders. If we are unable to successfully address these risks and challenges as we encounter them, our business, results of operations and financial condition would be adversely affected. Accordingly, we may not be able to be profitable or improve our income in the future, which could negatively impact the value of our common stock.

Our revenues and operations are dependent upon a limited number of government payors, particularly Medicare and Medicaid.

Our operations are dependent on a limited number of government payors, particularly Medicare and Medicaid, with whom we directly contract to provide services to participants. We generally manage our contracts on a state-by-state basis, entering into a separate contract in each state. When aggregating the revenue associated with Medicare and Medicaid by state, Colorado, California and Virginia accounted for a total of approximately 84.3% and 83.0% of our capitation revenue for the years ended June 30, 2024 and 2023, respectively. We believe that majority of our revenues will continue to be derived from a limited number of key government payors, which may terminate their contracts with us upon the occurrence of certain events, including as a result of inspections, reviews, audits, requests for information or investigations with adverse findings. The sudden loss of any of our government contracts or the renegotiation of any of such contracts could adversely affect our operating results. In the ordinary course of business, we engage in active discussions and renegotiations with government payors in respect of the services we provide and the terms of our agreements. As the states respond to market dynamics and financial pressures, and as government payors make strategic budgetary decisions in respect of the programs in which they participate, certain government payors may seek to renegotiate or terminate their agreements with us. Any reduction in the budgetary appropriations for our services, whether as a result of fiscal constraints due to recession, or economic downturn, emergency situations such as the COVID-19 pandemic, changes in policy or otherwise, could result in a reduction in our capitated fee payments, changes to the scope of services and possibly loss of contracts and could negatively impact our revenues, business and prospects. See Item 1A.”

Because we rely on a limited number of government-funded agencies, namely CMS and state Medicaid agencies, for a significant portion of our revenues, we depend on federal funding, as well as the financial condition of the states in which we operate, and each state’s commitment to its participation in the PACE program. Government-funded healthcare programs in the states in which we operate face a number of risks, including higher than expected healthcare costs and lack of predictability of tax basis and budget needs. If the financial condition of the states in which we operate declines, our credit risk could increase.

Reductions in PACE reimbursement rates or changes in the rules governing PACE programs could have a material adverse effect on our financial condition and results of operations.

We receive nearly all of our revenue through the PACE program, which accounted for 99.9% and 99.8% of our revenue for the years ended June 30, 2024 and 2023, respectively. As a result, our operations are dependent on government funding levels for PACE programs. Any changes that limit or reduce general PACE funding, such as reductions in or limitations of reimbursement amounts or rates under programs, reductions in funding of programs, expansion of benefits, services or treatments under programs without adequate funding, could have a material adverse effect on our business, results of operations, financial condition and cash flows.

The PACE programs and their respective reimbursement rates, payment structures and rules are subject to frequent change. These include statutory and regulatory changes, rate adjustments (including retroactive adjustments), administrative or executive orders and government funding restrictions, all of which may materially adversely affect the PACE rates at which we are compensated for our services. Budget pressures can lead federal and state governments to reduce or place limits on reimbursement rates and payment structures under PACE. Implementation of these and other types of measures has in the past and could in the future result in substantial reductions in our revenue and operating margins. Legislation enacted in 2011 requires CMS to sequester or reduce all Medicare payments, including payments to PACE organizations, by 2% per year for a period of years. We cannot predict what other deficit reduction, other payment reduction or budget enforcement initiatives may be proposed by Congress, which could impact our business, including whether Congress will attempt to increase, restructure or suspend sequestration.

Each year, CMS establishes the Medicare PACE benchmark payment rates by county for the following calendar year. In addition, our PACE revenues may become volatile in the future, which could have a material adverse impact on our business, results of operations, financial condition and cash flows.

Reductions in reimbursement rates could have a material, adverse effect on our financial condition and results of operations or even result in rates that are insufficient to cover our operating expenses. For example, our external provider costs are driven by rates set by Medicare and Medicaid, which are outside of our control and may be negotiated in a manner unfavorable to us. Additionally, any delay or default by state governments in funding our capitated payments could materially and adversely affect our business, financial condition and results of operations.

Recent legislative, judicial and executive efforts to enact further healthcare reform legislation have caused the future state of reforms under the ACA and many core aspects of the current U.S. healthcare system to be unclear. While specific changes and their timing are not yet apparent, enacted reforms and future legislative, regulatory, judicial, or executive changes, particularly any changes to the PACE program, could have a material adverse effect on our business, results of operations, financial condition and cash flows.

Our records and submissions to government payors may contain inaccurate or unsupportable information regarding risk adjustment scores of participants, which could cause us to overstate or understate our revenue and subject us to repayment obligations or penalties.

The claims and encounter records that we submit to government payors involve data that support the RAF scores attributable to participants. These RAF scores determine the payment we are entitled for the provision of medical care to such participants. The data submitted to CMS is based on diagnosis codes and medical charts that our employed, contracted, and noncontracted providers identify, record and prepare. Any issues with recording and documenting identified medical conditions, such as those that were present during the COVID-19 pandemic and could be presented during a future pandemic or epidemic, could adversely impact Medicare RAF scores and our resulting revenue for future periods. CMS periodically audits PACE organizations’ risk adjustment submissions. The submission of inaccurate, incomplete or erroneous data could result in inaccurate revenue and risk adjustment payments, which may be subject to correction or retroactive adjustment in later periods. This corrected or adjusted information may be reflected in financial statements for periods subsequent to the period in which the revenue was recorded. We could be required to refund a portion of the revenue that we received, which could have a material adverse effect on our business, results of operations, financial condition and cash flows. Historically, these true-up payments typically occur between May and August, but the timing of these payments is determined by CMS, and we have neither visibility nor control over the timing of such payments.

If CMS seeks repayment from us for payment adjustments as a result of its audits, we could also be subject to liability for penalties for inaccurate or unsupportable RAF scores provided by us or our providers. In addition, we could be liable

for penalties to the federal government under the FCA, which may include per claim penalties, plus up to three times the amount of damages caused by each false claim, which can be as much as the amounts received directly or indirectly from the government for each such false claim. There is a high potential for substantial penalties in connection with any alleged FCA violations.

Elements of the risk adjustment mechanism continue to be challenged, reevaluated, and revised by the U.S. DOJ, the OIG, and CMS. On February 1, 2023, CMS published the Medicare Advantage RADV Program Final Rule, which took effect on April 3, 2023. The final rule includes major updates to the Risk Adjustment Data Validation (“RADV”) audit methodology used by CMS to address overpayments to MA plans based on the submission of unsupported risk-adjusting diagnosis codes, which are used to determine payments under MA. Most notably, the final rule allows CMS to extrapolate RADV audit findings beginning with payment year 2018. CMS intends to initiate audits with the new methodology in calendar year 2025 beginning with payment year 2018. If CMS recovers overpayments from MA plans, those plans may seek to recover payments from us that the plans believe are attributable to risk adjustment data.

Substantial changes in the risk adjustment mechanism, including changes that result from enforcement or audit actions, could materially affect our capitated reimbursement.

Renegotiation, non-renewal or termination of capitation agreements with government payors could have a material adverse effect on our business, results of operations, financial condition and cash flows.

Under most of our capitation agreements with government payors, the state is generally permitted to adjust certain terms of the agreements from time to time. If a government payor exercises its right to adjust certain terms of the agreements, we are generally allowed a period of time to object to such adjustment. If we enter into capitation contracts with unfavorable economic terms, or a capitation contract is adjusted to include unfavorable terms, we could suffer losses with respect to such contract. In addition, some states in which we operate undergo periodic reconciliations with respect to enrollments that present a risk to our business, results of operations, financial condition and cash flows.

Our contracts with government payors may be terminated to the extent that state or federal funds are not appropriated at sufficient levels to fund our contracts or PACE programs in general. Certain of our contracts are terminable immediately upon the occurrence of certain events. Government payors may terminate, suspend or cancel our contracts, in whole or in part, for cause in the event of our noncompliance with the terms, conditions or responsibilities under the contracts, or if we are debarred or suspended from providing services by state or federal government authorities. CMS may also impose sanctions for noncompliance with regulatory or contractual requirements, including the suspension of enrollment of participants, the occurrence of which would adversely affect our operating results and our ability to pursue our growth strategies. If any of our contracts with government payors are terminated or if the government payors seek to renegotiate their contract rates with us, we may suffer a significant loss of revenue, which may adversely affect our operating results.

State and federal efforts to reduce healthcare spending could adversely affect our financial condition and results of operations.

Most of our participants are dually-eligible, meaning they are qualified for coverage under both Medicare and Medicaid when enrolled in our PACE program, and nearly all our revenue is derived from government payors. Medicaid is a joint federal and state funded program for healthcare services for low income as well as certain higher-income individuals who qualify for nursing home level of care. Under broad federal criteria, states establish rules for eligibility, services and payment. PACE programs are administered at the state level and are financed by both state and federal funds. Medicaid spending has increased rapidly in recent years, becoming a significant component of state budgets. This increase, combined with slower state revenue growth, has led both the federal government and many states to institute measures aimed at controlling the growth of Medicaid spending, and in some instances reducing aggregate Medicaid spending.

In addition, as part of past attempts to repeal, replace or modify the ACA and as a means to reduce the federal budget deficit, there have in recent years been congressional efforts to move Medicaid from an open-ended program with coverage and benefits set by the federal government to one in which states receive a fixed amount of federal funds, either through block grants or per capita caps, and have more flexibility to determine benefits, eligibility or provider payments. If those changes are implemented, we cannot predict whether the amount of fixed federal funding to the states will be based on

current payment amounts, or if it will be based on lower payment amounts, which would negatively impact those states that expanded their Medicaid programs in response to the ACA. We expect state and federal efforts to reduce healthcare spending to continue for the foreseeable future.

We depend on our senior management team and other key employees, and the loss of one or more of these employees or an inability to attract and retain other highly skilled employees could harm our business.

Our future success depends largely upon the services of our senior management team and other key employees. We rely on our leadership team in the areas of operations, provision of medical services, information technology and security, marketing, and general and administrative functions. Changes to our business strategy resulting from senior executive officer transitions could have a disruptive impact on our ability to implement our business strategy and could have a material adverse effect on our business.

Our employment agreements with our executive officers and other key personnel do not require them to continue to work for us for any specified period and, therefore, they could terminate their employment with us at any time. The loss, whether as a result of voluntary termination or illness, of one or more of the members of our senior management team, or other key employees, could harm our business. Changes in our executive management team may also cause disruptions in, and harm to, our business.

In fiscal year 2024, the nurses in our Pennsylvania centers voted to unionize and collective bargaining commenced in late 2024. These employees represent approximately 1% of our total workforce. Even though we are currently unaware of other unionization efforts, it is possible that additional employees in our Pennsylvania centers or in other geographies may follow. As we negotiate collective bargaining agreements for the two new bargaining units at the Pennsylvania centers, and any other units that may organize in the future, employees may threaten and/or engage in work stoppages and strikes, and our labor costs may continue to increase as a result. The unavailability of staff, or the inability of the Company to control labor costs related to these matters and future efforts to unionize, could have a material adverse effect on our business, reputation, prospects, results of operations and financial condition.

We have significant suppliers that may be the sole or primary source of products critical to the services we provide, or to which we have committed obligations to make purchases, sometimes at particular prices. If any of these suppliers do not meet our needs for the products they supply, including as a result of price increases, a product recall, product shortage or other supply chain issues, or a dispute, and we are not able to find adequate alternative sources, our business, results of operations, financial condition and cash flows could be materially adversely impacted. In addition, the technology related to the products critical to the services we provide is subject to new developments which may result in the availability of superior products. If we are not able to access superior products or new medical products, including biopharmaceuticals or medical devices, on a cost-effective basis or if suppliers are not able to fulfill our requirements for such products, we could face attrition with respect to our participants or health care providers and other personnel and other negative consequences which could have a material adverse effect on our business, results of operations, financial condition and cash flows.

For the fiscal year ended June 30, 2024 and 2023, 23.7% and 23.6% of our total revenues were derived from contracts with government agencies in the State of Colorado. Accordingly, any regulatory issues and developments in the State, such as the enrollment sanctions we were subject to in fiscal years 2022 and 2023, a reduction in Colorado’s budgetary appropriations for our services, whether as a result of fiscal constraints due to recession, emergency situations, such as the COVID-19 pandemic, changes in policy or otherwise, have and could in the future result in a reduction in our capitated fee payments and possibly the loss of contracts, and materially adversely impact our results.

If we fail to manage our operations effectively, we may be unable to execute our business plan, maintain effective levels of service and participant satisfaction or adequately address competitive challenges.

We have experienced, and may continue to experience, organizational change and growth, which has placed, and may continue to place, significant demands on our management and our operational and financial resources. Additionally, our organizational structure continues to become more complex as we grow and expand our operational, financial and management controls, as well as our reporting systems and procedures as a public company. We may require significant capital expenditures and the allocation of valuable management resources to grow and evolve our operational and financial operations and grow. We must ensure our personnel have the necessary licenses and competencies and continue to effectively train and manage our employees. We will be unable to manage our business effectively if we are unable to alleviate the strain on resources caused by growth in a timely and efficient manner. As we expect that our participant base will continue to grow following the lifting of sanctions in the states of California and Colorado, the planned expansion of capacity of our existing de novo centers, the opening of de novo centers, and the execution of tuck-in acquisitions, we will need to maintain best practices throughout all our centers. If we fail to effectively manage our potential growth and change or fail to ensure that the level of care and services provided by our employees complies with regulatory and contractual requirements, and levels of patient service and satisfaction, our brand and reputation, could suffer, adversely affecting our ability to attract and retain participants and employees and lead to the need for corrective actions or sanctions.

The healthcare industry is highly competitive and, if we are not able to compete effectively, our business could be harmed.

We compete directly with national, regional and local providers of healthcare for participants and clinical providers, including new or growing participants and providers. We also compete directly with payors and other alternate managed care programs for participants. There are many other companies and individuals currently providing healthcare services, many of which have been in business longer and/or have substantially more resources. Given the regulatory environment, there may be high barriers to entry for PACE providers; however, since there are relatively modest capital expenditures required for providing healthcare services, there are less substantial financial barriers to entry in the healthcare industry generally. Other companies could enter the healthcare industry in the future and divert some or all of our business. Our ability to compete successfully varies from location to location and depends on a number of factors, including the number of payors who run competitive programs in the local market, our local reputation for quality participant care, the commitment and expertise of our medical staff or contracted healthcare providers, our local service offerings and community programs, the cost of care in each locality, and the physical appearance, location and condition of our centers. If we are unable to attract participants to our centers our revenue and profitability will be adversely affected. Some of our competitors may have greater brand recognition and be more established in their respective communities than we are, and may have greater financial and other resources than we have. Further, our current or potential competitors may be acquired by third parties with greater available resources. Competing providers may also offer different programs or services than we do, which, combined with the foregoing factors, may result in our competitors being more attractive to our current participants, potential participants and referral sources. For example, additional offerings by MA and other competitors during 2024 resulted in higher than expected disenrollments during fiscal year 2024. Furthermore, while we budget for routine capital expenditures at our centers to keep them competitive in their respective markets, to the extent that competitive forces cause those expenditures to increase in the future, our financial condition may be negatively affected. In addition, our contracts with government payors are not exclusive for PACE programs in California, and competitors in California could seek to establish contracts with the state Medicaid agency and CMS to serve PACE eligible participants in our service areas. Individual physicians, physician groups and companies in other healthcare industry segments, some of which have greater financial, marketing and staffing resources, may become competitors in providing healthcare services, and this competition may have a material adverse effect on our business operations and financial position.

Our presence is currently limited to Colorado, California, Florida, New Mexico, Pennsylvania and Virginia, and we may not be able to successfully establish a presence in new geographic markets.

Prior to fiscal year 2024, we operated in Colorado, California, New Mexico, Pennsylvania and Virginia, and in fiscal year 2024, we opened two de novo centers in Florida. As a result, our exposure to many of the risks described in these risk factors are not mitigated by a diversification of geographic focus. Thereafter, we have to, among other things, recruit and retain qualified

personnel, develop new centers and establish new relationships or contracts with physicians and other healthcare and services providers. We anticipate that further geographic expansion will require us to make a substantial investment of management time, capital and/or other resources. There can be no assurance that we will be able to continue to expand our operations in any new geographic markets.

Security breaches, loss of data and other disruptions have in the past and could in the future compromise sensitive information related to our business or our participants, or prevent us from accessing critical information and expose us to liability, and could adversely affect our business and our reputation.

In the ordinary course of our business, we create, receive, maintain, transmit, collect, store, use, disclose, share and process (collectively, “Process”) sensitive data, including PHI/PII relating to our employees, participants and others. We also Process and contract with third-party service providers to Process sensitive information, including PHI/PII, confidential information and other proprietary business information.

We are highly dependent on information technology networks and systems, including our EMR system, Epic, and the internet, to securely Process PHI/PII and other sensitive data and information. Security breaches of this infrastructure, whether ours or of our third-party service providers, including physical or electronic break-ins, computer viruses, ransomware, attacks by hackers and similar breaches, and employee or contractor error, negligence or malfeasance, have occurred in the past, and have in the past and could in the future, create system disruptions, shutdowns or unauthorized access, acquisition, use, disclosure or modifications of such data or information, and could cause PHI/PII to be accessed, acquired, used, disclosed or modified without authorization, to be made publicly available, or to be further accessed, acquired, used or disclosed.

We use third-party service providers for important aspects of the Processing of employee and participant PHI/PII and other confidential and sensitive data and information, and therefore rely on third parties to manage functions that have material cybersecurity risks. Because of the sensitivity of the PHI/PII and other sensitive data and information that we and our service providers Process, the security of our technology platform and other aspects of our services, including those provided or facilitated by our third-party service providers, are important to our operations and business strategy. However, some PACE organizations that we have acquired in the past or may acquire in the future may not have implemented such agreements with their third-party service providers, which may expose us to legal claims or proceedings, liability, and penalties. We may be required to expend significant capital and other resources to protect against security breaches, to safeguard the privacy, security, and confidentiality of PHI/PII and other sensitive data and information, to investigate, contain, remediate, and mitigate actual or potential security breaches, and/or to report security breaches to participants, employees, regulators, media, credit bureaus, and other third parties in accordance with applicable law and to offer complimentary credit monitoring, identity theft protection, and similar services to participants and/or employees where required by law or otherwise appropriate. Cyber-attacks are becoming more sophisticated, and frequent, and we or our third-party service providers may be unable to anticipate these techniques or to implement adequate protective measures against them or to prevent future attacks. The prevalence of smart/handheld devices and the remote work environment has increased these risks. We exercise limited control over our third-party service providers and, in the case of some third-party service providers, may not have evaluated the adequacy of their security measures, which increases our vulnerability to problems with services they provide.

A security breach, security incident, or privacy violation that leads to unauthorized use, disclosure, access, acquisition, loss or modification of, or that prevents access to or otherwise impacts the confidentiality, security, or integrity of, participant or employee information, including PHI/PII that we or our third-party service providers process, could harm our reputation and business, compel us to comply with breach notification laws, cause us to incur significant costs for investigation, containment, remediation, mitigation, fines, penalties, settlements, notification to individuals, regulators, media, credit bureaus, and other third parties, complimentary credit monitoring, identity theft protection, training and similar services to participants and/or employees where required by law or otherwise appropriate, for measures intended to

repair or replace systems or technology and to prevent future occurrences. We may also be subject to potential increases in insurance premiums, resulting in increased costs or loss of revenue.

Even in the case of cybersecurity incidents on our third-party service-providers, we remain responsible under HIPAA for our participants’ PHI/PII and any failure on our part to comply with HIPAA in connection with such data could be subject to civil penalties, resolution agreements, monitoring or similar agreements or other enforcement action. For example, on February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group, was the subject of a well-publicized cyberattack. Change Healthcare is the largest clearinghouse for medical claims in the U.S. and this event has caused significant delays and disruptions in payments to hospitals, physicians, pharmacists, and other health care providers across the country, including us. This cyberattack did not have a material impact on us or our operations. However, future cyber attacks on our third-party providers could have a material impact on our business.

In addition, security breaches and incidents and other compromise or inappropriate access to, or acquisition or processing of, PHI/PII or other sensitive data or information can be difficult to detect, and any delay in identifying such breaches or incidents or in providing timely notification of such incidents may lead to increased harm and increased penalties.

While we maintain insurance covering certain security and privacy damages and claim expenses, we may not carry insurance or maintain coverage sufficient to compensate for all liability and in any event, insurance coverage would not address the reputational damage that could result from a security incident.

A failure to accurately estimate incurred but not reported medical expenses could adversely affect our results of operations.

External provider costs include estimates of future medical claims that have been incurred by the participant but for which the provider has not yet billed. These claim estimates are made utilizing actuarial methods and are continually evaluated and adjusted by management, based upon our historical claims experience and other factors, including an independent assessment by a nationally recognized actuarial firm. Positive or negative adjustments, if necessary, are made when the assumptions used to determine our claims liability change and when actual claim costs are ultimately determined.

Due to uncertainties associated with the factors used in these estimates and changes in the patterns and rates of medical utilization, materially different amounts could be reported in our financial statements for a particular period under different conditions or using different, but still reasonable, assumptions. It is possible that our estimates of this type of claim may be excessive or inadequate in the future and we may be obligated to repay certain amounts to CMS. In such event, our results of operations could be adversely impacted. Further, the inability to estimate these claims accurately may also affect our ability to take timely corrective actions, further exacerbating the extent of any adverse effect on our results of operations.

In addition, our operational and financial results will experience some variability depending upon the time of year in which they are measured. For example, medical costs vary seasonally depending primarily on the weather because certain illnesses, such as the influenza virus, are far more prevalent during colder months of the year. Historically, we have seen higher levels of per-participant medical costs in the second and third quarters of our fiscal year.

We lease half of our centers and may experience risks relating to lease termination, lease expense escalators, lease extensions and special charges.

We currently lease 10 of our 20 centers. Our leases typically have terms of nine years, and generally provide for renewal or extension options for an average total potential term of approximately 23 years. Each of our lease agreements provides that the lessor may terminate the lease, subject to applicable cure provisions, for a number of reasons, including the defaults in any payment of rent, taxes or other payment obligations or the breach of any other covenant or agreement in the lease. If we are not able to renew or extend our leases at or prior to the end of the existing lease terms, or if the terms of such options are unfavorable or unacceptable to us, our business, financial condition and results of operation could be adversely affected.

A pandemic, epidemic or outbreak of an infectious disease in the United States or worldwide, such as COVID-19, as well as weather and other factors, have affected, and could in the future adversely affect our business.

Specifically, if our participants fall ill due to an outbreak, such as during the COVID-19 pandemic, we may experience a high level of unexpected deaths, increased costs, difficulties adhering to the complex government laws and regulations that apply to our business (including difficulties enrolling participants as was the case during the COVID-19 pandemic), and other effects, including a loss of revenue, negative publicity, litigation and inquiries from government regulators.

Our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. Our future operating results may be adversely affected by these and other factors that disrupt the operation of our centers.

Risks Related to Regulation

Allegations that we have failed to adhere to all of the complex government laws and regulations that apply to our business have had and could in the future have a material adverse effect on our business, results of operations, financial condition, cash flows, reputation and stock price.

Our operations are subject to extensive federal, state and local government laws and regulations, such as:

•Federal Medicare, federal and state Medicaid, and federal and state PACE statutes and regulations, which are continuously changing and evolving;

•federal and state anti-kickback and self-referral laws, which prohibit, among other things, the knowing and willful offer, payment, solicitation or receipt of any bribe, kickback or remuneration, whether in cash or in kind, for referring an individual, in return for ordering, leasing, purchasing or recommending or arranging for or to induce the referral of an individual or the ordering, purchasing or leasing of items or services covered, in whole or in part, by federal healthcare programs, such as Medicare and Medicaid, or by any payor;

•the federal civil false claims laws, including the FCA and associated regulations, which impose civil penalties through governmental, whistleblower or qui tam actions, on individuals or entities for, among other things, knowingly submitting false or fraudulent claims for payment to the government or knowingly making, or causing to be made, a false statement in order to have a claim paid. When an entity is determined to have violated the FCA, the government may impose civil fines and penalties ranging from $13,946 to $27,894 for each false claim, plus treble damages, and exclude the entity from participation in Medicare, Medicaid and other federal healthcare programs;

•the federal false claims laws, which impose criminal penalties on individuals who make or present a false, fictitious, or fraudulent claim to the government that the individual knew was false, fictitious, or fraudulent, and was made with the specific intent to violate the law or with a consciousness of wrongdoing;

•state false claims laws, which generally follow the FCA and apply to claims submitted to state healthcare programs, and state health insurance fraud laws that impose penalties for the submission of false or fraudulent claims by providers to commercial insurers or other payors of healthcare services;

•the federal Civil Monetary Penalties Statute and associated regulations, which impose civil fines for, among other things, the offering or transfer of remuneration to a Medicare or state healthcare program beneficiary if the person knows or should know such remuneration is likely to influence the beneficiary’s selection of a particular provider or supplier of services reimbursable by Medicare or a state healthcare program, unless an

exception applies, and which authorize assessments and program exclusion for various forms of fraud and abuse involving the Medicare and Medicaid programs;

•the federal healthcare fraud statute and its implementing regulations, which created federal criminal laws that prohibit, among other things, executing or attempting to execute a scheme to defraud any healthcare benefit program or making false statements relating to healthcare matters;

•federal and state laws regarding the collection, use disclosure and, protection of personal identifiable information or PII and protected health information or PHI (e.g., HIPAA and the CCPA) and the storage, handling, shipment, disposal and/or dispensing of pharmaceuticals and blood products and other biological materials, and many other applicable state and federal laws and requirements;

•state and federal statutes and regulations that govern workplace health and safety;

•federal and state laws and policies that require healthcare providers to maintain licensure, certification or accreditation to provide services to patients or to enroll and participate in the Medicaid programs, to report certain changes in their operations to the agencies that administer these programs and, in some cases, to re-enroll in these programs when changes in direct or indirect ownership occur;

•federal and state scope of practice and other laws pertaining to the provision of services by qualified healthcare providers, including those pertaining to the provision of services by nurse practitioners and physician assistants in certain settings and requirements for physician supervision of those services;

•state laws restricting the corporate practice of medicine; and

•federal or state consumer protection laws that regulate various trade practices (e.g. consumer communications or consumer-facing activities).

In addition to the above, PACE contracts also impose complex and extensive requirements upon our operations.

Federal and state manuals, policies, and other guidance may also affect our operations.

The various laws, regulations, and agency guidance that apply or relate to our operations are often subject to varying interpretations, and additional laws and regulations potentially affecting healthcare organizations continue to be promulgated and issued. A violation or departure from any of the legal requirements applicable to our business may result in, among other things, government audits, decreased payment rates, significant fines and penalties, the potential loss of licensure or certification, recoupment efforts or retractions of reimbursement previously paid, voluntary repayments, exclusion from governmental healthcare programs, written warnings, corrective action plans, monitoring, reputational harm, suspension of new enrollment or the restriction of current enrollment, the withholding of payments under the PACE program agreement, and termination of the PACE program agreement. These legal requirements may be civil or administrative in nature. We are subject to federal and state regulations that require PACE organizations to maintain fiscally sound operations, as defined by CMS and applicable state agencies. We submit regular financial reports to governmental authorities and are subject to routine financial reviews and audits by both CMS and state agencies. For example, federal and state governments evaluate our assets and liabilities, cash flows, and net operating surpluses against specific regulatory requirements. From time to time, federal and state authorities may identify aspects of the finances of our PACE organizations that do not comply with federal or state requirements and may require us to submit clarifications and/or take action to adjust the capitalization or other financial status of such entities. As state agencies promulgate additional regulations applicable to PACE and issue sub-regulatory guidance, we will have to allocate sufficient resources to ensure compliance with both federal and state regulations.

We endeavor to comply with all legal requirements. We utilize considerable resources to monitor laws and regulations and implement necessary changes. However, the laws and regulations in these areas are complex, changing and often subject to varying interpretations, and any failure to satisfy applicable laws and regulations could have a material adverse impact on our business, results of operations, financial condition, cash flows and reputation. We may face penalties, including penalties under the FCA, if we fail to report and return government overpayments within 60 days of when the overpayment is identified and quantified. See Item 1A. Risk Factors, “Risks Related to Our Business—” Additionally, the federal government has used the FCA to prosecute a wide variety of alleged false claims

and fraud allegedly perpetrated against Medicare, Medicaid, and other federally funded healthcare programs. In recent years, the number of suits brought in the medical industry by private individuals has increased dramatically. Given the high volume of claims processed by our various operating units, the potential is high for substantial penalties in connection with any alleged FCA violations.

In addition to the provisions of the FCA, the federal government can use several criminal statutes to prosecute persons who are alleged to have submitted false or fraudulent claims for payment to the federal government.

If any of our operations are found to violate these or other government laws or regulations, we could suffer severe consequences that would have a material adverse effect on our business, results of operations, financial condition, cash flows, reputation and stock price, including:

•suspension, termination or exclusion of our participation in government payment programs;

•refunds of amounts received in violation of law or applicable payment program requirements dating back to the applicable statute of limitation periods;

•criminal or civil liability, fines, damages or monetary penalties for violations of healthcare fraud and abuse laws, including the Anti-Kickback Statute, Civil Monetary Penalties Statute and FCA, or other failures to meet regulatory requirements;

•enforcement actions by governmental agencies and/or state law claims for monetary damages for patients or employees relating to breach or impermissible use or disclosure of, or other incident relating to PHI and other types of personal data or PII that we collect, use, and disclose, in violation of federal or state privacy laws, including, for example and without limitation, HIPAA or state data privacy and security laws;

•mandated changes to our practices or procedures that could significantly increase operating expenses;

•imposition of and compliance with corporate integrity agreements, monitoring agreements or corrective action plans that could subject us to ongoing audits and reporting requirements as well as increased scrutiny of our billing and business practices;

•termination of various relationships and/or contracts related to our business, including joint venture arrangements, real estate leases and consulting agreements; and

•harm to our reputation, which could negatively impact our business relationships, affect our ability to attract and retain participants and healthcare professionals, affect our ability to obtain financing and decrease access to new business opportunities, among other things.

We are, from time to time, and may in the future continue to be, a party to various lawsuits, demands, claims, governmental investigations, audits (including investigations or other actions resulting from our obligation to self-report suspected violations of law), and other legal matters. Responding to subpoenas, requests for information, investigations and other lawsuits, claims, and legal proceedings as well as defending ourselves in such matters has required management’s attention and caused us to incur significant legal expense. It is possible that criminal proceedings may be initiated against us and/or individuals in our business in connection with investigations by the federal government. The results of such lawsuits cannot be predicted. Qui tam actions are filed under seal and impose a mandatory duty on the U.S. DOJ to investigate such allegations, and because qui tam suits are filed under seal, we could be subject to suits of which we are not aware or have been ordered by the presiding court not to discuss or disclose.

We, our healthcare professionals, and the centers in which we operate, are subject to various federal, state and local licensing, certification and other laws and regulations, relating to, among other things, the quality of medical care, equipment, privacy of health information, physician relationships, telehealth, personnel and operating policies and procedures. We routinely take the steps we believe are necessary to retain or obtain requisite licensure and operating authorities. While we endeavor to comply with federal, state and local licensing and certification laws and regulations and standards as we interpret them, the laws and regulations in these areas are complex, changing and often

subject to varying interpretations. Any failure to satisfy applicable laws and regulations could have a material adverse impact on our business, results of operations, financial condition, cash flows, and reputation.

If we are unable to effectively adapt to changes in the healthcare industry, including changes to laws and regulations regarding or affecting U.S. healthcare reform, our business could be harmed.

Due to the importance of the healthcare industry in the lives of all Americans, federal, state, and local legislative bodies frequently pass legislation and administrative agencies promulgate regulations relating to healthcare reform or that affect the healthcare industry. As has been the trend in recent years, it is reasonable to assume that there will continue to be increased government oversight and regulation of the healthcare industry in the future. We cannot assure our stockholders as to the ultimate content, timing or effect of any new healthcare legislation or regulations, nor is it possible at this time to estimate the impact of potential new legislation or regulations on our business.

Since nearly all of our revenue is derived from government payors, we are always subject to regulatory changes. Federal and state legislators routinely introduce and consider proposed legislation that would impact Medicare, Medicaid, and PACE funding and operations, and state and federal agencies also consider and implement regulations and guidance that impact our business. Similarly, changes in private payor reimbursement policies could lead to adverse changes in Medicare, Medicaid and other governmental healthcare programs, which could have a material adverse effect on our business, financial condition and result of operations.

While we believe that we have structured our agreements and operations in material compliance with applicable healthcare laws and regulations, there can be no assurance that regulators will agree with our approach or that we will be able to successfully address changes in the current legislative and regulatory environment. Furthermore, the healthcare laws and regulations applicable to us may be amended or interpreted in a manner that could have a material adverse effect on our business, prospects, results of operations and financial condition.

Laws regulating the corporate practice of medicine could restrict the manner in which we are permitted to conduct our business, and the failure to comply with such laws could subject us to penalties or require a restructuring of our business.

Some of the states in which we currently operate have laws that prohibit business entities, such as us, from practicing medicine, employing physicians or other clinicians to practice medicine, exercising control over medical decisions by physicians or other clinicians or engaging in certain arrangements, such as fee-splitting, with physicians or other clinicians (such activities generally referred to as the “corporate practice of medicine”). In some states, these prohibitions are expressly stated in a statute or regulation, while in other states the prohibition is a matter of judicial or regulatory interpretation. For example, in Pennsylvania, the statutes that pertain to the employment of healthcare practitioners by healthcare centers do not explicitly include a PACE organization in the list of healthcare centers by which a healthcare practitioner may be employed. Other states in which we may operate in the future may also generally prohibit the corporate practice of medicine. While we endeavor to comply with state corporate practice of medicine laws and regulations as we interpret them, the laws and regulations in these areas are complex, changing, and often subject to varying interpretations. The interpretation and enforcement of these laws vary significantly from state to state.

Penalties for violations of the corporate practice of medicine vary by state and may result in physicians being subject to disciplinary action, as well as forfeiture of revenues from payors for services rendered.

Any of these outcomes may have a material adverse effect on our business, results of operations, financial condition, cash flows and reputation.

Laws governing the review and approval of healthcare transactions could limit our ability to grow our business.

Several states, including California, have adopted laws focused on competition, quality, access, and cost that authorize state agencies to review and approve healthcare transactions, and many other states, including Pennsylvania, are

considering similar legislation. California is also considering additional legislation that would provide the California attorney general with approval authority with respect to certain health care transactions. We have in the past and continue to intend to grow our business through acquisitions, and these laws could negatively affect our ability to grow in implicated states in the future.

Our use, disclosure, and other processing of PHI/PII is subject to HIPAA, CCPA as amended by the CPRA and other federal and state privacy and security regulations, and our failure to comply with those laws and regulations or to adequately secure the information we hold could result in significant liability or reputational harm and, in turn, a material adverse effect on our participant base and revenue.

Numerous state and federal laws and regulations govern the collection, dissemination, use, disclosure, destruction, retention, privacy, confidentiality, security, availability, integrity and other processing of PHI/PII. These laws and regulations include HIPAA. HIPAA establishes a set of national privacy and security standards for the protection of PHI by health plans, healthcare clearinghouses, and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services. A business associate is any person or entity (other than members of a covered entity’s workforce) that performs a service for or on behalf of a covered entity involving the use or disclosure of protected health information.

HIPAA requires covered entities, such as ourselves, and their business associates to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims.

HIPAA imposes mandatory penalties for certain violations. Under a notice of enforcement discretion issued by HHS in 2019, penalties for violations of HIPAA and its implementing regulations start at $100 (not adjusted for inflation) per violation and are not to exceed approximately $63,000 (not adjusted for inflation) per violation, subject to a cap of approximately $1.9 million (not adjusted for inflation) for violations of the same standard in a single calendar year. However, a single breach incident can result in violations of multiple standards. In addition, HIPAA provides for criminal penalties of up to $250,000 and ten years in prison, with the severest penalties for obtaining and disclosing PHI with the intent to sell, transfer or use such information for commercial advantage, personal gain or malicious harm. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts may award damages, costs and attorneys’ fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI.

In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA covered entities and business associates for compliance with the HIPAA Privacy and Security Standards. It also tasks HHS with establishing a methodology whereby harmed individuals who were the victims of breaches of unsecured PHI may receive a percentage of the civil monetary penalty fine paid by the violator.

HIPAA further requires that individuals be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA specifies that such notifications must be made “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” If a breach affects 500 individuals or more, it must be reported to HHS without unreasonable delay, and in no case later than 60 calendar days after discovery, and HHS will automatically investigate the breach and post the name of the entity on its public breach portal. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. Breaches affecting more than 500 residents in the same state or jurisdiction must also be reported to the local media. Looking ahead, it is possible that Congress could pursue a federal privacy bill to harmonize privacy regimes across states.

In addition to HIPAA, numerous other federal and state laws and regulations protect the confidentiality, privacy, availability, integrity and security of individually identifiable information. State statutes and regulations vary from state to state, and these laws and regulations in many cases are more restrictive than, and may not be preempted by, HIPAA and its implementing rules. For example, the CCPA provides certain exceptions for PHI, but is still applicable to certain PII we process in the ordinary course of our business. The effects of the CCPA are wide-ranging and afford consumers certain rights with respect to PII, including a private right of action for data breaches involving certain personal

information of California residents. Efforts at the federal level to enact similar laws have been ongoing. As new data security laws are implemented, we may not be able to timely comply with such requirements, or such requirements may not be compatible with our current processes. Changing our processes could be time consuming and expensive, and failure to implement required changes in a timely manner could subject us to liability for non-compliance. Consumers may also be afforded a private right of action for certain violations of privacy laws. This complex, dynamic legal landscape regarding privacy, data protection, and information security creates significant compliance issues for us and potentially restricts our ability to process data and may expose us to additional expense, adverse publicity, and liability. While we believe we have implemented data privacy and security measures in an effort to comply with applicable laws and regulations, and we have implemented measures to require our third-party service providers to maintain reasonable data privacy and security measures, we cannot guarantee that these efforts will be adequate, and we may be subject to cybersecurity, ransomware or other security incidents. Further, it is possible that laws, rules and regulations relating to privacy, data protection, or information security may be interpreted and applied in a manner that is inconsistent with our practices or those of our third-party service providers. If we or these third parties are found to have violated such laws, rules or regulations, it could result in regulatory investigations, litigation awards or settlements, government-imposed fines, orders requiring that we or these third parties change our or their practices, or criminal charges, which could adversely affect our business. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems and compliance procedures in a manner adverse to our business.

We also publish statements to our participants that describe how we handle and protect PHI. If federal or state regulatory authorities, such as the FTC, or private litigants consider any portion of these statements to be untrue, we may be subject to claims of deceptive practices, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims, and complying with regulatory or court orders. The FTC sets expectations for failing to take appropriate steps to keep consumers’ personal information secure, or failing to provide a level of security commensurate to promises made to individual about the security of their personal information (such as in a privacy notice) may constitute unfair or deceptive acts or practices in violation of Section 5(a) of the Federal Trade Commission Act (“FTC Act”). The FTC expects a company’s data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. With respect to privacy, the FTC also sets expectations that companies honor the privacy promises made to individuals about how the company handles consumers’ personal information; any failure to honor promises, such as the statements made in a privacy policy or on a website, may also constitute unfair or deceptive acts or practices in violation of the FTC Act. While we do not intend to engage in unfair or deceptive acts or practices, the FTC has the power to enforce promises as it interprets them, and events that we cannot fully control, such as data breaches, may be result in FTC enforcement. Enforcement by the FTC under the FTC Act can result in civil penalties or enforcement actions. Any of the foregoing consequences could seriously harm our business and our financial results.

Risks Related to Our Indebtedness

Our existing indebtedness could adversely affect our business and growth prospects.

As of June 30, 2024, we had total outstanding debt of (i) $63.8 million principal amount under the Term Loan Facility (as defined in Note 7, “Long-term Debt” to the consolidated financial statements), and (ii) $2.2 million principal amount under the convertible term loan. Our indebtedness, or any additional indebtedness we may incur, could require us to divert funds identified for other purposes for debt service, impairing our liquidity position. If we cannot generate sufficient cash flow from operations to service our debt, we may need to refinance our debt, dispose of assets or issue equity to obtain necessary funds. We do not know whether we will be able to take any of these actions on a timely basis, or on terms satisfactory to us or at all.

Our indebtedness and the cash flow needed to satisfy our debt have important consequences, including:

•limiting funds otherwise available for financing our capital expenditures and pursuing our growth strategies by requiring us to dedicate a portion of our cash flows from operations to the repayment of debt and the interest on this debt;

•making us more vulnerable to rising interest rates; and

•making us more vulnerable in the event of a downturn in our business.

Our level of indebtedness may place us at a competitive disadvantage to our competitors that are less leveraged. Fluctuations in interest rates can increase borrowing costs. In addition, developments in tax policy, such as the disallowance of tax deductions for interest paid on outstanding indebtedness, could have an adverse effect on our liquidity and our business, financial conditions and results of operations.

We expect to use cash flow from operations to meet current and future financial obligations, including funding our operations, debt service requirements and capital expenditures necessary to grow and maintain our businesses. The ability to make these payments depends on our financial and operating performance, which is subject to prevailing economic, industry and competitive conditions and to certain financial, business, economic and other factors beyond our control.

In addition, the 2021 Credit Agreement (as defined in Note 7, “Long-term Debt” to the consolidated financial statements) contains a number of restrictive covenants that impose significant operating and financial restrictions on us and may limit our ability to engage in acts that may be in our long-term best interests. A breach of the covenants or restrictions under the 2021 Credit Agreement could result in an event of default under such document. Such a default may allow the creditors to accelerate the related debt and terminate all commitments to extend credit thereunder and may result in the acceleration of any other debt to which a cross-acceleration or cross-default provision applies. In the event the holders of our indebtedness accelerate the repayment, we may not have sufficient assets to repay that indebtedness or be able to borrow sufficient funds to refinance it. Even if we are able to obtain new financing, it may not be on commercially reasonable terms or on terms acceptable to us.

Our failure to raise additional capital or generate cash flows necessary to expand our operations and invest in participant services in the future could reduce our ability to compete successfully and harm our results of operations.

We may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms or at all. If we raise additional equity financing, our security holders may experience significant dilution of their ownership interests. If we engage in additional debt financing, we may be required to accept terms that restrict our operational flexibility and our ability to incur additional indebtedness, force us to maintain specified liquidity or other ratios or restrict our ability to pay dividends or make acquisitions. If we need additional capital and cannot raise it on acceptable terms, or at all, we may not be able to, among other things:

•develop and enhance our participant services;

•continue to expand our business either by increasing enrollment or building de novo centers;

•hire, train and retain employees;

•respond to competitive pressures or unanticipated working capital requirements; or

•pursue acquisition opportunities.

Risks Related to Our Common Stock

Our Principal Shareholders control us, and their interests may conflict with ours or yours in the future.

Our Principal Shareholders own approximately 83% of our common stock, which means that they control the vote of all matters submitted to a vote of our shareholders, which enables them to control the election of the members of the Board and all other corporate decisions. This concentration of ownership may delay, deter or prevent acts that would be favored by our other shareholders. The interests of the Principal Shareholders may not always coincide with our interests or the interests of our other shareholders. Even when the Principal Shareholders cease to own shares of our stock representing a majority of the total voting power, for so long as the Principal Shareholders continue to own a significant percentage of our stock, the Principal Shareholders will still be able to significantly influence the composition of our Board and the approval of actions requiring shareholder approval. Accordingly, for such period of time, the Principal Shareholders will have significant influence with respect to our management, business plans and policies, including the appointment and removal of our officers, decisions on whether to raise future capital and amend our charter and bylaws, which govern the rights attached to our common stock. In particular, for so long as the Principal Shareholders continue to own a significant percentage of our stock, the Principal Shareholders will be able to cause or prevent a change of control of us or a change in

the composition of our Board and could preclude any unsolicited acquisition of us. The concentration of ownership could deprive you of an opportunity to receive a premium for your shares of common stock as part of a sale of us and ultimately might affect the market price of our common stock. In addition, this concentration of ownership may adversely affect the trading price of our common stock because investors may perceive disadvantages in owning shares in a company with significant stockholders.

In addition, we are party to a Director Nomination Agreement (defined herein) with the Principal Shareholders that provides the Principal Shareholders the right to designate: (i) all of the nominees for election to our Board for so long as the Principal Shareholders collectively beneficially own at least 40% of the Original Amount (as defined therein); (ii) 40% of the nominees for election to our Board for so long as the Principal Shareholders collectively beneficially own less than 40% but at least 30% of the Original Amount; (iii) 30% of the nominees for election to our Board for so long as the Principal Shareholders collectively beneficially own less than 30% but at least 20% of the Original Amount; (iv) 20% of the nominees for election to our Board for so long as the Principal Shareholders collectively beneficially own less than 20% but at least 10% of the Original Amount; and (v) one of the nominees for election to our Board for so long as the Principal Shareholders collectively beneficially own at least 5% of the Original Amount. If TCO Group Holdings, L.P., the investment vehicle through which the Principal Shareholders hold their investment is dissolved, then each of the Principal Shareholders will be permitted to nominate (i) up to three directors so long as it owns at least 25% of the Original Amount, (ii) up to two directors so long as it owns at least 15% of the Original Amount and (iii) one director so long as it owns at least 5% of the Original Amount. The Principal Shareholders may also assign such right to their affiliates.

The Principal Shareholders and their affiliates engage in a broad spectrum of activities, including investments in the healthcare industry generally. In the ordinary course of their business activities, the Principal Shareholders and their affiliates may engage in activities where their interests conflict with our interests or those of our other shareholders, such as investing in or advising businesses that directly or indirectly compete with certain portions of our business or are suppliers or customers of ours. Our certificate of incorporation provides that neither the Principal Shareholders, any of their affiliates or any director who is not employed by us (including any non-employee director who serves as one of our officers in both her or his director and officer capacities) or its affiliates have any duty to refrain from engaging, directly or indirectly, in the same business activities or similar business activities or lines of business in which we operate. In addition, the Principal Shareholders may have an interest in pursuing acquisitions, divestitures and other transactions that, in their judgment, could enhance their investment, even though such transactions might involve risks to you.

We are a “controlled company” within the meaning of the rules of Nasdaq and, as a result, we qualify for, and intend to continue relying on, exemptions from certain corporate governance requirements. Therefore, you do not have the same protections as those afforded to stockholders of companies that are subject to such governance requirements.

The Principal Shareholders control a majority of the voting power of our outstanding common stock. As a result, we are a “controlled company” within the meaning of the corporate governance standards of the Nasdaq Global Select Market (“Nasdaq”). Under these rules, a company of which more than 50% of the voting power for the election of directors is held by an individual, group or another company is a “controlled company” and may elect not to comply with certain corporate governance requirements, including:

•the requirement that a majority of our Board consist of independent directors;

•the requirement that nominees to our Board are to be selected, or recommended for the Board’s selection, either by independent directors constituting a majority of the Board’s independent directors or by a nominations committee that is composed entirely of independent directors;

•the requirement that we have a compensation committee that is composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities; and

•the requirement for an annual performance evaluation of the Board and its committees.

We currently utilize and intend to continue utilizing certain of these exemptions as long as they are available to us, and in the future, we could utilize additional exemptions. Accordingly, you do not have the same protections afforded to shareholders of companies that are subject to all of the corporate governance requirements of Nasdaq.

We qualify as an “emerging growth company” and a “smaller reporting company” and we have elected to comply with reduced public company reporting requirements, which could make our common stock less attractive to investors.

We are an “emerging growth company,” as defined in the JOBS Act and a “smaller reporting company” as defined by the Exchange Act. For as long as we continue to qualify as an emerging growth company, we are eligible for certain exemptions from various public company reporting requirements. These exemptions include, but are not limited to, (i) not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, (ii) reduced disclosure obligations regarding executive compensation in our periodic reports, proxy statements and registration statements, (iii) exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and shareholder approval of any golden parachute payments not previously approved, and (iv) an extended transition period to comply with new or revised accounting standards applicable to public companies. Additionally, as long as we qualify as a smaller reporting company, we are required to present only the two most recent fiscal years of audited financial statements in our Annual Reports on Form 10-K.

Additionally, even after we no longer qualify as an “emerging growth company,” we may still qualify as a “smaller reporting company” if the market value of our common stock held by non-affiliates is below $250 million (or $700 million if our annual revenue is less than $100 million) as of December 31 in any given year, which would allow us to continue taking advantage of certain of these exemptions.

We cannot predict if investors will find our common stock less attractive as a result of reliance on these exemptions. If some investors find our common stock less attractive as a result of any choice we make to reduce disclosure, there may be a less active trading market for our common stock and the market price for our common stock may be more volatile.

The requirements of being a public company may strain our resources and distract our management, which could make it difficult to manage our business, particularly after we no longer qualify as an “emerging growth company” or a “smaller reporting company.”

As a public company, we are subject to the reporting requirements of the Exchange Act and the Sarbanes-Oxley Act, the listing requirements of Nasdaq and other applicable securities rules and regulations. We have made, and will continue to make, changes to our internal controls and procedures for financial reporting and accounting systems to meet our reporting obligations as a public company. However, the measures we take may not be sufficient to satisfy our obligations as a public company. These additional obligations could have a material adverse effect on our business, financial condition and results of operations.

The Sarbanes-Oxley Act requires, among other things, that we establish and maintain effective internal controls and procedures for financial reporting. The existence of any material weaknesses or significant deficiency in internal controls over financial reporting would require management to devote significant time and incur significant expenses to remediate any such issue and management may not be able to remediate the issue in a timely manner. The existence of any material weaknesses or significant deficiency could cause us to reissue our financial statements, fail to meet reporting deadlines or undermine shareholders’ confidence in our reported financial statements, all of which could materially and adversely impact our stock price.

In addition, changing laws, regulations and standards relating to corporate governance and public disclosure, such as disclosures related to climate emissions, are creating uncertainty for public companies, increasing legal and financial

compliance costs and making some activities more time consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We invest in resources to comply with evolving laws, regulations and standards, and this investment may result in increased general and administrative expenses and a diversion of our management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to their application and practice, regulatory authorities may initiate legal proceedings against us and there could be a material adverse effect on our business, financial condition and results of operations.

Provisions of our corporate governance documents could make an acquisition of us more difficult and may prevent attempts by our shareholders to replace or remove our current management, even if beneficial to our shareholders.

In addition to the Principal Shareholders’ beneficial ownership of a combined 83% of our common stock, our Director Nomination Agreement, certificate of incorporation and bylaws and the Delaware General Corporation Law (the “DGCL”), contain provisions that could make it more difficult for a third party to acquire us without the consent of our Board or the Principal Shareholders, even if doing so might be beneficial to our shareholders. Among other things, these provisions:

•allow us to authorize the issuance of undesignated preferred stock, the terms of which may be established and the shares of which may be issued without shareholder approval, and which may include supermajority voting, special approval, dividend, or other rights or preferences superior to the rights of shareholders;

•provide for a classified board of directors with staggered three-year terms;

•prohibit shareholder action by written consent from and after the date on which the Principal Shareholders beneficially own, in the aggregate, less than 35% of our common stock then outstanding;

•provide that, from and after the date on which the Principal Shareholders beneficially own less than 50% of our common stock then outstanding, any amendment, alteration, rescission or repeal of our bylaws by our shareholders will require the affirmative vote of the holders of at least 662∕3% in voting power of all the then-outstanding shares of our stock entitled to vote thereon, voting together as a single class; and

•establish advance notice requirements for nominations for elections to our Board or for proposing matters that can be acted upon by shareholders at shareholder meetings, provided, however, that at any time when a Principal Shareholder beneficially owns at least 5% of our common stock then outstanding, such advance notice procedure will not apply to such Principal Shareholder.

Our certificate of incorporation contains a provision that provides us with protections similar to Section 203 of the DGCL, and prevents us from engaging in a business combination with a person (excluding the Principal Shareholders and any of their direct or indirect transferees and any group as to which such persons are a party) who acquires at least 85% of our common stock for a period of three years from the date such person acquired such common stock, unless Board or shareholder approval is obtained prior to the acquisition. These provisions could discourage, delay or prevent a transaction involving a change in control of our Company. These provisions could also discourage proxy contests and make it more difficult for you and other shareholders to elect directors of your choosing and cause us to take other corporate actions you desire, including actions that you may deem advantageous, or negatively affect the trading price of our common stock. In addition, because our Board is responsible for appointing the members of our management team, these provisions could in turn affect any attempt by our shareholders to replace current members of our management team.

These and other provisions in our certificate of incorporation, bylaws and Delaware law could make it more difficult for shareholders or potential acquirers to obtain control of our Board or initiate actions that are opposed by our then-current Board, including delay or impede a merger, tender offer or proxy contest involving our Company. The existence of these provisions could negatively affect the price of our common stock and limit opportunities for you to realize value in a corporate transaction.

Our certificate of incorporation designates the Court of Chancery of the State of Delaware as the exclusive forum for certain litigation that may be initiated by our shareholders and the federal district courts of the United States as the

exclusive forum for litigation arising under the Securities Act, which could limit our shareholders’ ability to obtain a favorable judicial forum for disputes with us.

Pursuant to our certificate of incorporation, unless we consent in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the United States District Court for the District of Delaware) will, to the fullest extent permitted by law, be the sole and exclusive forum for (i) any derivative action or proceeding brought on behalf of us, (ii) any action asserting a claim of breach of fiduciary duty owed by, or other wrongdoing by, any our directors, officers, employees or agents to us or our stockholders, creditors or other constituents, or a claim of aiding and abetting any such breach of fiduciary duty, (iii) any action asserting a claim against the us or any of our directors or officers or other employees arising pursuant to any provision of the DGCL or our certificate of incorporation or our Bylaws (as either may be amended, restated, modified, supplemented or waived from time to time), (iv) any action to interpret, apply, enforce or determine the validity of our certificate of incorporation or our bylaws, (v) any action asserting a claim against us or any of our directors or officers or other employees governed by the internal affairs doctrine or (vi) any action asserting an “internal corporate claim” as that term is defined in Section 115 of the DGCL. Our certificate of incorporation also provides that, unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States shall be the exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act. However, Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all suits brought to enforce a duty or liability created by the Securities Act or the rules and regulations thereunder; accordingly, we cannot be certain that a court would enforce such provision. Our certificate of incorporation further provides that any person or entity purchasing or otherwise acquiring any interest in shares of our capital stock is deemed to have notice of and consented to the provisions of our certificate of incorporation described above; however, our shareholders will not be deemed to have waived our compliance with the federal securities laws and the rules and regulations thereunder. The forum selection provisions in our certificate of incorporation may have the effect of discouraging lawsuits against us or our directors and officers and may limit our shareholders’ ability to obtain a favorable judicial forum for disputes with us. If the enforceability of our forum selection provision were to be challenged, we may incur additional costs associated with resolving such a challenge. While we currently have no basis to expect any such challenge would be successful, if a court were to find our forum selection provision to be inapplicable or unenforceable, we may incur additional costs associated with having to litigate in other jurisdictions, which could have an adverse effect on our business, financial condition and results of operations and result in a diversion of the time and resources of our employees, management and Board.

Our operating results have fluctuated and may fluctuate significantly in the future, which makes our future operating results difficult to predict and could cause such results to fall below any guidance, targets or goals we provide.

These fluctuations may be driven by a variety of factors, many of which are outside of our control, including, but not limited to:

• our ability to execute our growth strategy, including our ability to identify and successfully complete acquisitions and expand via de novo centers within existing and new markets;

• our inability to control expenses and increases to the cost of care, including as a result of the composition of our participant pool, macroeconomic factors such as such as labor shortages, high inflation, and health emergencies;

• the results of current and future, routine and non-routine inspections, reviews, audits and investigations under federal and state government programs and contracts, and any resulting sanctions or remediation efforts as a result of such government actions; and

• legal proceedings, enforcement actions and litigation, malpractice and privacy disputes to which we are currently and may in the future be party to.

The impact of any one of the factors discussed above or any other factors discussed in this “Risk Factors” section, or the cumulative effects of a combination of such factors, could result in significant fluctuations and unpredictability in our quarterly and annual operating results. As a result of such variability and unpredictability, our revenue or operating results could fall short of our expectations or any guidance we provide and we may also fail to meet the expectations of industry or financial analysts or investors for any period. If the guidance we provide falls short or we are unable to meet the expectations of analysts or investors, the trading price of our common stock could decline substantially.

Our operating results and stock price are volatile.

The price of our common stock has significantly fluctuated since our IPO. In addition, securities markets worldwide have experienced, and are likely to continue to experience, significant price and volume fluctuations. This market volatility, as well as general economic, market or political conditions, could continue to subject the market price of our shares to wide price fluctuations regardless of our operating performance. In addition, our operating results and the trading price of our shares may fluctuate in response to various factors, including:

•developments and results of audits, sanctions, investigations and litigation;

•market conditions in our industry or the broader stock market;

•actual or anticipated fluctuations in our quarterly financial and operating results;

•introduction of new solutions or services by us or our competitors;

•issuance of new or changed securities analysts’ reports or recommendations;

•sales, or anticipated sales, of large blocks of our stock;

•additions or departures of key personnel;

•regulatory or political developments;

•litigation and governmental investigations;

•changing economic and macroeconomic conditions;

•inflationary pressures, increased interest rates, weather, public health events, such as the COVID-19 pandemic, and war, including uncertainties surrounding the Russia and Ukraine war and the Israel-Hamas war;

•investors’ perception of us and our prospects; and

•any default on our indebtedness.

These and other factors, many of which are beyond our control, may cause our operating results and the market price and demand for our shares to fluctuate substantially. Fluctuations in our quarterly operating results could limit or prevent investors from readily selling their shares and may otherwise negatively affect the market price and liquidity of our shares.

A significant portion of our total outstanding shares may be sold into the market in the near future. This could cause the market price of our common stock to drop significantly, even if our business is doing well.

Sales of a substantial number of shares of our common stock in the public market could occur at any time. These sales, or the perception in the market that the holders of a large number of shares intend to sell shares, could reduce the market price of our common stock.

We are party to a registration rights agreement with TCO Group Holdings, L.P., the investment vehicle through which the Principal Shareholders hold their investment, which requires us to effect the registration of the Principal Shareholders’ shares in certain circumstances. The Principal Shareholders are also entitled to participate in certain of our registered offerings, subject to the restrictions in the registration rights agreement. These registration rights would facilitate the resale of such securities into the public market, and any such resale would increase the number of shares of our common stock available for public trading.

Such shares can be freely sold in the public market upon issuance, subject to vesting, and Rule 144 under the Securities Act.

In the future, we may also issue our securities in connection with investments or acquisitions. The number of shares issued in connection with an investment or acquisition could constitute a material portion of our then-outstanding common stock.

Because we have no plans to pay regular cash dividends on our common stock for the foreseeable future, you may not receive any return on investment unless you sell your common stock for a price greater than that which you paid for it.

We do not anticipate paying any regular cash dividends on our common stock for the foreseeable future. Any decision to declare and pay dividends in the future will be made at the discretion of our Board and will depend on, among other things, our results of operations, financial condition, cash requirements, contractual restrictions and other factors that our Board may deem relevant. In addition, our ability to pay dividends is, and may be, limited by covenants of existing and any future outstanding indebtedness we or our subsidiaries incur. Therefore, any return on investment in our common stock is solely dependent upon the appreciation of the price of our common stock on the open market, which may not occur.

Our Board of Directors has approved a share repurchase program that may subject us to certain risks, which can be exacerbated because our stock is thinly traded.

Our Board of Directors approved a repurchase program to repurchase shares of our common stock. Our share repurchase program does not obligate us to acquire any common stock, and we may discontinue the program at any time. If we fail to meet any expectations related to share repurchases, we may lose market and investor confidence. In addition, our common stock is thinly traded. Thinly traded stocks pose several risks for investors because they have wider spreads and less displayed size than other stocks that trade in higher volumes. Other risks posed by thinly traded stocks include difficulty selling the stock, challenges attracting market makers to make markets in the stock, and difficulty with financings. Because our common stock is thinly traded, repurchases under the repurchase program can impact the price of our common stock on a given day or period.

The trading market for our shares is influenced by the research and reports that industry or securities analysts publish about us or our business. We do not have any control over these analysts. If one or more of these analysts cease coverage of us or fail to publish reports on us regularly, we could lose visibility in the financial markets, which in turn could cause our stock price or trading volume to decline. Moreover, analysts have in the past downgraded, and may in the future downgrade our stock, or if our results of operations do not meet their expectations, our stock price could decline.

We may issue shares of preferred stock in the future, which could make it difficult for another company to acquire us or could otherwise adversely affect holders of our common stock, which could depress the price of our common stock.

Our certificate of incorporation authorizes us to issue one or more series of preferred stock. Our Board has the authority to determine the preferences, limitations and relative rights of the shares of preferred stock and to fix the number of shares constituting any series and the designation of such series, without any further vote or action by our shareholders. Our preferred stock could be issued with voting, liquidation, dividend and other rights superior to the rights of our common stock. The potential issuance of preferred stock may delay or prevent a change in control of us, discouraging bids for our common stock at a premium to the market price, and materially adversely affect the market price and the voting and other rights of the holders of our common stock.

Future offerings of debt or equity securities by us may materially adversely affect the market price of our common stock.

In the future, we may attempt to obtain financing or to further increase our capital resources by issuing additional shares of our common stock or offering debt or other equity securities, including senior or subordinated notes, debt securities convertible into equity or shares of preferred stock. In addition, we may seek to expand operations in the future to other markets which we would expect to finance through a combination of additional issuances of equity, corporate indebtedness and/or cash from operations.

Issuing additional shares of our common stock or other equity securities or securities convertible into equity may dilute the economic and voting rights of our existing stockholders or reduce the market price of our common stock or both. Upon liquidation, holders of such debt securities and preferred shares, if issued, and lenders with respect to other borrowings would receive a distribution of our available assets prior to the holders of our common stock. Debt securities convertible into equity could be subject to adjustments in the conversion ratio pursuant to which certain events may increase the number of equity securities issuable upon conversion. Preferred shares, if issued, could have a preference with respect to liquidating distributions or a preference with respect to dividend payments that could limit our ability to pay dividends to the holders of our common stock. Our decision to issue securities in any future offering will depend on market conditions

and other factors beyond our control, which may adversely affect the amount, timing or nature of our future offerings. Thus, holders of our common stock bear the risk that our future offerings may reduce the market price of our common stock and dilute their stockholdings in us.

General Risk Factors

Disruptions in our disaster recovery systems or business continuity planning could limit our ability to operate our business effectively.

Our information technology systems facilitate our ability to conduct our business. While we have disaster recovery systems and business continuity plans in place, any disruptions in our disaster recovery systems or the failure of these systems to operate as expected could, depending on the magnitude of the problem, adversely affect our operating results by limiting our capacity to effectively monitor and control our operations. Despite our implementation of a variety of security measures, our information technology systems could be subject to physical or electronic break-ins, ransomware and other cybersecurity incidents and similar disruptions from unauthorized tampering or any weather-related disruptions in Denver, Colorado, where our headquarters is located. In addition, in the event that a significant number of our management personnel were unavailable in the event of a disaster, our ability to effectively conduct business could be adversely affected.

Item 1B. UNRESOLVED STAFF COMMENTS

None.

CYBERSECURITY

Risk Management and Strategy

Our Cybersecurity Program (“Program”) is designed from a risk- and compliance-based approach for resilience and protection across our operations and the appropriate access, use, and/or disclosure of PHI and PII. Our Program employs the National Institute of Standards Technology (NIST) cybersecurity framework and strategy to deliver multi-layered defenses and relevant technologies that are designed to control, audit, monitor, and protect access to sensitive information. We also leverage government partnerships, industry and government associations, third-party benchmarking, audits, threat intelligence feeds and other similar resources to inform our cybersecurity efforts and allocate resources.

We maintain our Program with physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and respond to cybersecurity incidents. Elements of our Program include: (i) required training for our employees (including onboarding and annual training), exercises (including advanced phishing exercises), and awareness for our employees to promote vigilance of cybersecurity risks and (ii) compliance audits and assessments, which include routine technical and non-technical audits and assessments internally and in collaboration with independent third parties at least annually. In addition, we engage various third-party consultants to assist us in assessing, enhancing, implementing and monitoring our Program and responding to incidents.

As a company managing the use and disclosure of PHI and PII, we annually undergo internal and/or third-party HIPAA Security Rule risk assessments of our administrative, physical, and technical safeguards. In addition, external assessors periodically evaluate our safeguards against multiple frameworks, including NIST Cyber Security Framework (CSF).

Our Program is integrated into our Enterprise Risk Management (ERM) program and includes a vendor risk management program supported by our security and compliance teams. We assess vendor cybersecurity risks according to HIPAA and NIST CSF standards and have established an oversight process to manage cybersecurity risks related to the products and services we procure.

During the fiscal year ended June 30, 2024, we did not identify risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business, operations, and reputation. See “Security breaches, loss of data and other disruptions have in the past and could in the future compromise sensitive information related to our business or our participants, or prevent us from accessing critical information and expose us to liability, and could adversely affect our business and our reputation” in Item 1A “Risk Factors” in this Annual Report.

Governance

While our full Board of Directors has overall responsibility for risk oversight, it has delegated primary oversight of certain risks to its committees. Our Audit Committee monitors cybersecurity risks, and the steps our management has taken to monitor and control exposures. Our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) brief the Audit Committee quarterly on cybersecurity risks, updates on the regulatory and cyber landscape and significant cybersecurity events, as needed. Our Audit Committee reports to the Board of Directors on cybersecurity matters quarterly, or more often as the need arises.

We have an Information Security Team to strengthen our cybersecurity risk management activities across the Company. The Information Security Team reports to our CISO who works in collaboration with our CIO, Chief Compliance Officer and General Counsel. The Information Security Team is responsible for the oversight and operation of our Program, and the management our security standards and operating procedures.

Cole Naus is our CISO. Mr. Naus has over 10 years of experience in the cybersecurity industry. Mr. Naus holds a degree in Cybersecurity and Information Assurance and holds other cybersecurity certifications. Mr. Naus reports directly to Cara Babachicos, our CIO. Ms. Babachicos has over 20 years of experience in the cybersecurity industry, having previously worked as Chief Information Officer at other companies in the healthcare industry.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
MGLD	3 hours ago
CFSB	4 hours ago
PLUR	4 hours ago
GBS	11 hours ago
AOXY	2 days, 3 hours ago
GWRE	2 days, 4 hours ago
CHNC	4 days, 23 hours ago
KARX	5 days, 3 hours ago
SMBC	5 days, 3 hours ago
TPCS	5 days, 3 hours ago
APXI	5 days, 4 hours ago
BLUE	5 days, 4 hours ago
GLGI	5 days, 4 hours ago
SLQT	5 days, 4 hours ago
AMRK	5 days, 6 hours ago
CSUI	5 days, 7 hours ago
EVI	6 days, 3 hours ago
FARM	6 days, 3 hours ago
RLGT	6 days, 4 hours ago
IBEX	6 days, 4 hours ago
EGAN	6 days, 4 hours ago
ZS	6 days, 4 hours ago
AIAD	6 days, 12 hours ago
EPM	1 week ago
LSAK	1 week ago
LYTS	1 week ago
IROQ	1 week ago
INNV	1 week, 1 day ago
GROW	1 week, 1 day ago
CTLP	1 week, 1 day ago
MTRX	1 week, 1 day ago
DREM	1 week, 1 day ago
TMGI	1 week, 1 day ago
BFYW	1 week, 1 day ago
LTRX	1 week, 2 days ago
FEAM	1 week, 2 days ago
CTLT	1 week, 5 days ago
VYST	1 week, 5 days ago
GCBC	1 week, 5 days ago
PANW	1 week, 5 days ago
TWIN	1 week, 5 days ago
CBKM	1 week, 5 days ago
FLWS	1 week, 5 days ago
GDLC	1 week, 5 days ago
LTCN	1 week, 5 days ago
BCHG	1 week, 5 days ago
BRC	1 week, 5 days ago
STRT	1 week, 6 days ago
CSCO	1 week, 6 days ago
BOWL	1 week, 6 days ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - INNV

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - INNV

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing