XML 113 R95.htm IDEA: XBRL DOCUMENT v3.26.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Item 1C. Cybersecurity

We maintain an Information Security Management System designed to identify, assess, and manage material risks from cybersecurity threats. Our program is informed by international security standards, including ISO 27001 and NIST CSF 2.0, and we maintain HITRUST, ISO 27001, ISO 13485, SOC 2 Type 2 and UK CyberEssentials certifications to validate our security and data privacy practices.

We have developed and integrated into our overall risk management program an information security program that is designed to address material risks from cybersecurity threats. Our program includes policies and procedures that identify how security measures and controls are developed, implemented and maintained. A cybersecurity risk assessment, based on an internationally recognized methodology, is conducted annually.

Governance

The Audit Committee of our Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats. The Committee receives quarterly reports from management regarding our security posture, recent threat assessments, and any significant incidents.

Our Chief Technology Officer and Senior Director of Information Security are responsible for the day-to-day assessment and management of cybersecurity risks. The Information Security Steering Committee consists of internal stakeholders and meets regularly to review key security indicators, identified risks and risk treatment plans. Our Senior Director of Information Security has 10 years of experience in healthcare security leadership and leads a team with experience in a broad set of security areas including product security, endpoint security, network security, incident response and identity and access management with relevant industry certifications. We work with external experts including security assessors, auditors and consultants to ensure expertise in necessary areas.

All employees and workforce members receive training at least annually on our information security policies and procedures, ensuring they follow industry best practices on security and are prepared to report any security incidents.

Risk Identification and Assessment

We conduct risk assessments at least annually, incorporating data from penetration testing, vulnerability scanning, threat modeling and other security processes to identify potential threats to our systems and data.

As we rely on third-party cloud service providers for our production process, we conduct security due diligence on all of our vendors, which is performed annually for critical vendors, including reviewing their third-party audits, penetration test results and other security documentation. Third party risks are included in our risk assessment.

Identified risks are reviewed and prioritized, considering the criticality of the systems, potential impact of the risk and likelihood. Where needed, the information security team will work with the Steering Committee to develop plans to mitigate or eliminate risks and implement them across the organization.

The information security team stays informed of cybersecurity threats through conferences, industry groups and other training to ensure risk assessments incorporate real data on likelihood and impact and trends in threats. 

Incident Response

We maintain a formal incident response plan that includes protocols for investigating, containing, and mitigating security events. This plan is tested annually through tabletop exercises involving both technical staff and senior management.

We maintain a 24x7x365 on-call rotation to ensure timely responses to critical security incidents and monitor critical systems. We incorporate public and private threat intelligence data from industry organizations into our threat detection system to ensure we identify new threats. We have established communication channels to ensure that potential material cybersecurity incidents are promptly escalated to our legal and executive teams to determine if a disclosure obligation exists under SEC rules.

To date, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that we are aware of, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, we can give no assurance that we have detected or protected against all cybersecurity incidents or cybersecurity threats. Please see the risk factor titled “Our networks and those of our third-party service providers may become the target of bad actors or security breaches that we cannot anticipate or successfully defend, which could have an adverse impact on our business.” in Part I. Item 1A. “Risk Factors” in this Annual Report for additional information about the risks we face associated with cybersecurity threats.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We have developed and integrated into our overall risk management program an information security program that is designed to address material risks from cybersecurity threats.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] To date, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that we are aware of, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block] The Audit Committee of our Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats. The Committee receives quarterly reports from management regarding our security posture, recent threat assessments, and any significant incidents.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee of our Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Identified risks are reviewed and prioritized, considering the criticality of the systems, potential impact of the risk and likelihood.
Cybersecurity Risk Role of Management [Text Block] The Committee receives quarterly reports from management regarding our security posture, recent threat assessments, and any significant incidents.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Chief Technology Officer and Senior Director of Information Security are responsible for the day-to-day assessment and management of cybersecurity risks. The Information Security Steering Committee consists of internal stakeholders and meets regularly to review key security indicators, identified risks and risk treatment plans.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our Senior Director of Information Security has 10 years of experience in healthcare security leadership and leads a team with experience in a broad set of security areas including product security, endpoint security, network security, incident response and identity and access management with relevant industry certifications.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Where needed, the information security team will work with the Steering Committee to develop plans to mitigate or eliminate risks and implement them across the organization.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] false