reputation with current and potential customers, expose us to liability, result in substantial costs for remediation, could cause us to lose customers, or otherwise harm our business, financial condition and results of operations. We may also incur significant costs for using alternative hosting sources or taking other actions in preparation for, or in reaction to, events that damage the AWS or Azure services we use. Additionally, in the event that our AWS or Azure service agreements are terminated, or there is a lapse of service, elimination of AWS or Azure services or features that we utilize, or damage to such facilities, we could experience interruptions in access to our platform as well as significant delays and additional expenses in arranging for or creating new facilities or re-architecting our platform for deployment on a different cloud infrastructure service provider, which would adversely affect our business, financial condition, and results of operations.
As expectations regarding operational and information security practices have increased, our operating systems and infrastructure, and those of our third-party service providers, must continue to be safeguarded and monitored for potential failures, disruptions, breakdowns, and attacks. Our data processing systems, or other operating systems and facilities, and those of our third-party service providers, may stop operating properly or become disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our and our third-party service providers’ control. For example, there could be electrical or telecommunication outages, natural disasters such as earthquakes, tornadoes, or hurricanes; disease pandemics and related government orders; events arising from local or larger scale political or social matters, including terrorist acts; cyberattacks and other data security incidents, including ransomware, malware, phishing, social engineering, including some of the foregoing that target healthcare systems in particular. These incidents can range from individual attempts to gain unauthorized access to information technology systems to more sophisticated security threats involving cyber criminals, hacktivists, cyber terrorists, nation state actors, or the targeting of commercial financial accounts. These events can also result from internal compromises, such as human error or malicious internal actors, of our workforce or our vendors’ personnel.
While we have business continuity, disaster recovery and other policies and procedures designed to prevent or limit the effect of the failure, interruption or security breach of our information systems, there can be no assurance that any such failures, interruptions or security breaches will not occur or, if they do occur, that they will be adequately addressed. Furthermore, if such failures, interruptions or security breaches are not detected immediately, their effect could be compounded. Our risk and exposure to these matters remains heightened because of the evolving nature of these threats and our use of third-party service providers with access to our systems and data. As a result, cybersecurity and the continued development and enhancement of our controls, processes, and practices designed to protect our systems, computers, software, data, and networks from attack, damage or unauthorized access remain a focus for us. Disruptions or failures in the physical infrastructure or operating systems that support our businesses and customers, or cyberattacks or security breaches of our networks, systems or devices, or those that our customers or third-party service providers use to access our products and services, could result in customer attrition, financial loss, reputational damage, reimbursement or other compensation costs, and/or remediation costs, any of which could have a material effect on our results of operations or financial condition.
Changes in laws, regulations or standards relating to privacy or data protection (including the collection, storage, use, transfer, and processing of data), or any actual or perceived failure by us to comply with such laws, regulations or standards, or our own information security policies or contractual or other obligations relating to privacy, data use and protection, or the protection or transfer of personal data, could adversely affect our business.
We collect, receive, generate, use, process, and store significant and increasing volumes of sensitive information, such as employee, customer and individual PHI and other PII. We are subject to a variety of federal, state and local laws, directives and regulations, as well as contractual obligations, relating to the collection, use, storage, retention, security, disclosure, transfer, return, destruction and other processing of PHI, other PII, and other data. In many jurisdictions, enforcement actions and consequences for noncompliance with such laws, directives and regulations are rising, and the regulatory framework for privacy, data protection and data transfers
54