Cybersecurity Risk Management, Strategy, and Governance	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Astrana Health operates in an increasingly interconnected and digitized world, where the protection of sensitive information and the resilience of our information technology systems are paramount to our mission of delivering exceptional healthcare services. Cybersecurity is a critical component of our enterprise risk management program, reflecting our commitment to safeguarding the privacy and security of the patients, employees, and others who entrust us with their data. As a healthcare organization, we manage large quantities of protected health information (“PHI”), personally identifiable information (“PII”), and other sensitive data. Recognizing the heightened risks posed by cyber threats, we have implemented a comprehensive cybersecurity framework that is designed to proactively identify, assess, and mitigate the risks associated with these threats. This includes protection against ransomware, phishing attacks, data breaches, and the evolving tactics of sophisticated cyber adversaries, as well as other types of cyber threats. Our cybersecurity program is built upon industry-recognized standards and, and we continuously adapt our program to defend against the changing threat landscape. Cybersecurity Governance Astrana Health’s governance framework reflects our commitment to managing cybersecurity risks with accountability and transparency. This framework is rooted in collaboration between executive leadership, employee operational teams, and the Board of Directors, resulting in comprehensive oversight at every level of the organization. Board Oversight The Board of Directors oversees cybersecurity as part of its enterprise risk management responsibilities. The Audit Committee reviews cybersecurity risks, including IT internal controls, the use of artificial intelligence, business continuity plans, disaster recovery programs, and data protection initiatives. The Audit Committee also receives regular reports from management, including the CISO (as defined below), on key cybersecurity metrics, threat landscapes, risk mitigation strategies, and significant cybersecurity or data privacy incidents (if any). Executive Leadership Our cybersecurity program is led by the Chief Information Security Officer (“CISO”), a Certified Information Systems Security Professional (CISSP) with over 25 years of experience in technology, cybersecurity strategy, risk management, and regulatory compliance, including extensive industry experience. The CISO works closely with the Company’s executive leadership to implement and oversee the Company’s cybersecurity initiatives. The CISO is also responsible for broader IT governance and risk management, resulting in a cohesive approach to protecting our technology infrastructure and sensitive data. AI Policy and Governance Astrana Health recognizes the transformative potential of artificial intelligence (“AI”) in healthcare and the corresponding responsibility to implement it ethically and securely. Our AI policy and governance framework emphasizes transparency, fairness, and accountability in the use of AI technologies across our operations. This includes rigorous data privacy safeguards, continuous monitoring to mitigate algorithmic bias, and adherence to industry best practices and regulatory standards. An internal committee comprising experts in technology, legal, compliance, and healthcare operations works to ensure that AI deployments meet ethical and cybersecurity standards. Periodic audits and risk assessments are conducted to evaluate the performance, reliability, and security of AI systems in critical workflows. Cross-Functional Collaboration Astrana Health utilizes a cross-functional governance structure that engages enterprise risk management, compliance, IT, legal, privacy, and data governance teams. Our risk management / cyber working group, which includes certain of our senior leaders, including operations, finance, internal audit, IT, cyber, legal, and communications, meets at least four times per year to discuss significant risks to the Company identified by our enterprise-wide risk management process, including cybersecurity risks identified by our cybersecurity risk management program. The group also discusses the steps management has taken to identify, monitor, assess, and control or avoid such exposures and reviews performance measures against the Company’s risk appetite and tolerance and provides recommendations of corrective action where appropriate. This collaborative approach enables a holistic evaluation of cybersecurity risks and aims to ensure that identified threats are promptly addressed. Cybersecurity Program Components Astrana Health’s cybersecurity program employs a multi-layered approach, incorporating a wide range of policies, technologies, and processes to detect, prevent, and respond to cyber threats. Proactive Monitoring and Threat Detection We leverage advanced security technologies and tools to continuously monitor our IT systems and networks. Our 24/7 Security Operations Center is equipped to detect anomalies and respond to emerging threats in real-time, aiming to minimize the risk of undetected cyberattacks. Employee Training and Awareness Astrana Health fosters a culture of cybersecurity awareness through mandatory training programs, phishing simulations, and engagement campaigns. These efforts seek to enable employees to identify and report potential threats, thereby reducing organizational vulnerability to common attack vectors. Data Encryption and Access Controls Robust encryption protocols safeguard sensitive data, both in transit and at rest. Multi-factor authentication and role-based access controls further restrict unauthorized access, ensuring that only authorized personnel can access critical systems and information. Incident Response and Recovery Our comprehensive incident response plan outlines detailed procedures for addressing and recovering from cybersecurity incidents. This plan, which is integrated with our business continuity and disaster recovery strategies, aims to ensure operational resilience and timely remediation of affected systems. Third-Party Risk Management Vendors and service providers are rigorously vetted through a structured third-party risk management program. This process includes security assessments, contractual requirements for compliance with cybersecurity standards, and ongoing monitoring to ensure alignment with Astrana Health’s security policies. Independent Audits and Assessments External firms conduct regular penetration testing, Service Organization Controls (SOC) 2 audits, and other assessments to validate the effectiveness of our cybersecurity controls and identify areas for improvement. Industry Standards and Benchmarks Our cybersecurity program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Additionally, periodic tabletop exercises simulate real-world scenarios to test our readiness and improve our incident response capabilities. Cybersecurity Incidents Although we have been subject to breaches of our IT systems, including breaches of the IT systems of third-party service providers, the impact of such attacks has not been material to our business strategy, operations or results of operations, financial position, or cash flows through the date of this report. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect the Company. For additional information on the risks we face from cybersecurity threats, please refer to Part I, Item 1A, “Risk Factors” of this Form 10-K.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	Our comprehensive incident response plan outlines detailed procedures for addressing and recovering from cybersecurity incidents. This plan, which is integrated with our business continuity and disaster recovery strategies, aims to ensure operational resilience and timely remediation of affected systems.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	The Board of Directors oversees cybersecurity as part of its enterprise risk management responsibilities. The Audit Committee reviews cybersecurity risks, including IT internal controls, the use of artificial intelligence, business continuity plans, disaster recovery programs, and data protection initiatives. The Audit Committee also receives regular reports from management, including the CISO (as defined below), on key cybersecurity metrics, threat landscapes, risk mitigation strategies, and significant cybersecurity or data privacy incidents (if any).
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	The Board of Directors oversees cybersecurity as part of its enterprise risk management responsibilities. The Audit Committee reviews cybersecurity risks, including IT internal controls, the use of artificial intelligence, business continuity plans, disaster recovery programs, and data protection initiatives.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	The Audit Committee also receives regular reports from management, including the CISO (as defined below), on key cybersecurity metrics, threat landscapes, risk mitigation strategies, and significant cybersecurity or data privacy incidents (if any).
Cybersecurity Risk Role of Management [Text Block]	Astrana Health operates in an increasingly interconnected and digitized world, where the protection of sensitive information and the resilience of our information technology systems are paramount to our mission of delivering exceptional healthcare services. Cybersecurity is a critical component of our enterprise risk management program, reflecting our commitment to safeguarding the privacy and security of the patients, employees, and others who entrust us with their data. As a healthcare organization, we manage large quantities of protected health information (“PHI”), personally identifiable information (“PII”), and other sensitive data. Recognizing the heightened risks posed by cyber threats, we have implemented a comprehensive cybersecurity framework that is designed to proactively identify, assess, and mitigate the risks associated with these threats. This includes protection against ransomware, phishing attacks, data breaches, and the evolving tactics of sophisticated cyber adversaries, as well as other types of cyber threats. Our cybersecurity program is built upon industry-recognized standards and, and we continuously adapt our program to defend against the changing threat landscape. Our cybersecurity program is led by the Chief Information Security Officer (“CISO”), a Certified Information Systems Security Professional (CISSP) with over 25 years of experience in technology, cybersecurity strategy, risk management, and regulatory compliance, including extensive industry experience. The CISO works closely with the Company’s executive leadership to implement and oversee the Company’s cybersecurity initiatives. The CISO is also responsible for broader IT governance and risk management, resulting in a cohesive approach to protecting our technology infrastructure and sensitive data. Astrana Health utilizes a cross-functional governance structure that engages enterprise risk management, compliance, IT, legal, privacy, and data governance teams. Our risk management / cyber working group, which includes certain of our senior leaders, including operations, finance, internal audit, IT, cyber, legal, and communications, meets at least four times per year to discuss significant risks to the Company identified by our enterprise-wide risk management process, including cybersecurity risks identified by our cybersecurity risk management program. The group also discusses the steps management has taken to identify, monitor, assess, and control or avoid such exposures and reviews performance measures against the Company’s risk appetite and tolerance and provides recommendations of corrective action where appropriate. This collaborative approach enables a holistic evaluation of cybersecurity risks and aims to ensure that identified threats are promptly addressed.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	Our cybersecurity program is led by the Chief Information Security Officer (“CISO”), a Certified Information Systems Security Professional (CISSP) with over 25 years of experience in technology, cybersecurity strategy, risk management, and regulatory compliance, including extensive industry experience. The CISO works closely with the Company’s executive leadership to implement and oversee the Company’s cybersecurity initiatives. The CISO is also responsible for broader IT governance and risk management, resulting in a cohesive approach to protecting our technology infrastructure and sensitive data.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Our cybersecurity program is led by the Chief Information Security Officer (“CISO”), a Certified Information Systems Security Professional (CISSP) with over 25 years of experience in technology, cybersecurity strategy, risk management, and regulatory compliance, including extensive industry experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The CISO works closely with the Company’s executive leadership to implement and oversee the Company’s cybersecurity initiatives. The CISO is also responsible for broader IT governance and risk management, resulting in a cohesive approach to protecting our technology infrastructure and sensitive data.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management, Strategy, and Governance

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Astrana Health operates in an increasingly interconnected and digitized world, where the protection of sensitive information and the resilience of our information technology systems are paramount to our mission of delivering exceptional healthcare services. Cybersecurity is a critical component of our enterprise risk management program, reflecting our commitment to safeguarding the privacy and security of the patients, employees, and others who entrust us with their data.

As a healthcare organization, we manage large quantities of protected health information (“PHI”), personally identifiable information (“PII”), and other sensitive data. Recognizing the heightened risks posed by cyber threats, we have implemented a comprehensive cybersecurity framework that is designed to proactively identify, assess, and mitigate the risks associated with these threats. This includes protection against ransomware, phishing attacks, data breaches, and the evolving tactics of sophisticated cyber adversaries, as well as other types of cyber threats. Our cybersecurity program is built upon industry-recognized standards and, and we continuously adapt our program to defend against the changing threat landscape.

Cybersecurity Governance

Astrana Health’s governance framework reflects our commitment to managing cybersecurity risks with accountability and transparency. This framework is rooted in collaboration between executive leadership, employee operational teams, and the Board of Directors, resulting in comprehensive oversight at every level of the organization.

Board Oversight

The Board of Directors oversees cybersecurity as part of its enterprise risk management responsibilities. The Audit Committee reviews cybersecurity risks, including IT internal controls, the use of artificial intelligence, business continuity plans, disaster recovery programs, and data protection initiatives. The Audit Committee also receives regular reports from management, including the CISO (as defined below), on key cybersecurity metrics, threat landscapes, risk mitigation strategies, and significant cybersecurity or data privacy incidents (if any).

Executive Leadership

Our cybersecurity program is led by the Chief Information Security Officer (“CISO”), a Certified Information Systems Security Professional (CISSP) with over 25 years of experience in technology, cybersecurity strategy, risk management, and regulatory compliance, including extensive industry experience. The CISO works closely with the Company’s executive leadership to implement and oversee the Company’s cybersecurity initiatives. The CISO is also responsible for broader IT governance and risk management, resulting in a cohesive approach to protecting our technology infrastructure and sensitive data.

AI Policy and Governance

Astrana Health recognizes the transformative potential of artificial intelligence (“AI”) in healthcare and the corresponding responsibility to implement it ethically and securely. Our AI policy and governance framework emphasizes transparency, fairness, and accountability in the use of AI technologies across our operations. This includes rigorous data privacy safeguards, continuous monitoring to mitigate algorithmic bias, and adherence to industry best practices and regulatory standards. An internal committee comprising experts in technology, legal, compliance, and healthcare operations works to ensure that AI deployments meet ethical and cybersecurity standards. Periodic audits and risk assessments are conducted to evaluate the performance, reliability, and security of AI systems in critical workflows.

Cross-Functional Collaboration

Astrana Health utilizes a cross-functional governance structure that engages enterprise risk management, compliance, IT, legal, privacy, and data governance teams. Our risk management / cyber working group, which includes certain of our senior leaders, including operations, finance, internal audit, IT, cyber, legal, and communications, meets at least four times per year to discuss significant risks to the Company identified by our enterprise-wide risk management process, including cybersecurity risks identified by our cybersecurity risk management program. The group also discusses the steps management has taken to identify, monitor, assess, and control or avoid such exposures and reviews performance measures against the Company’s risk appetite and tolerance and provides recommendations of corrective action where appropriate. This collaborative approach enables a holistic evaluation of cybersecurity risks and aims to ensure that identified threats are promptly addressed.

Cybersecurity Program Components

Astrana Health’s cybersecurity program employs a multi-layered approach, incorporating a wide range of policies, technologies, and processes to detect, prevent, and respond to cyber threats.

Proactive Monitoring and Threat Detection

We leverage advanced security technologies and tools to continuously monitor our IT systems and networks. Our 24/7 Security Operations Center is equipped to detect anomalies and respond to emerging threats in real-time, aiming to minimize the risk of undetected cyberattacks.

Employee Training and Awareness

Astrana Health fosters a culture of cybersecurity awareness through mandatory training programs, phishing simulations, and engagement campaigns. These efforts seek to enable employees to identify and report potential threats, thereby reducing organizational vulnerability to common attack vectors.

Data Encryption and Access Controls

Robust encryption protocols safeguard sensitive data, both in transit and at rest. Multi-factor authentication and role-based access controls further restrict unauthorized access, ensuring that only authorized personnel can access critical systems and information.

Incident Response and Recovery

Our comprehensive incident response plan outlines detailed procedures for addressing and recovering from cybersecurity incidents. This plan, which is integrated with our business continuity and disaster recovery strategies, aims to ensure operational resilience and timely remediation of affected systems.

Third-Party Risk Management

Vendors and service providers are rigorously vetted through a structured third-party risk management program. This process includes security assessments, contractual requirements for compliance with cybersecurity standards, and ongoing monitoring to ensure alignment with Astrana Health’s security policies.

Independent Audits and Assessments

External firms conduct regular penetration testing, Service Organization Controls (SOC) 2 audits, and other assessments to validate the effectiveness of our cybersecurity controls and identify areas for improvement.

Industry Standards and Benchmarks

Our cybersecurity program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Additionally, periodic tabletop exercises simulate real-world scenarios to test our readiness and improve our incident response capabilities.

Cybersecurity Incidents

Although we have been subject to breaches of our IT systems, including breaches of the IT systems of third-party service providers, the impact of such attacks has not been material to our business strategy, operations or results of operations, financial position, or cash flows through the date of this report. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect the Company. For additional information on the risks we face from cybersecurity threats, please refer to Part I, Item 1A, “Risk Factors” of this Form 10-K.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee also receives regular reports from management, including the CISO (as defined below), on key cybersecurity metrics, threat landscapes, risk mitigation strategies, and significant cybersecurity or data privacy incidents (if any).

Cybersecurity Risk Role of Management [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The CISO works closely with the Company’s executive leadership to implement and oversee the Company’s cybersecurity initiatives. The CISO is also responsible for broader IT governance and risk management, resulting in a cohesive approach to protecting our technology infrastructure and sensitive data.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true