|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Due to the sensitivity of the personal information, including protected health information, or PHI, that the Company and its subsidiaries store and transmit, in the ordinary course of business, identifying, assessing, and managing material cybersecurity risks is an important component of the Company’s overall cybersecurity and enterprise risk management program.
We maintain a cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework’s guidance and HIPAA, which applies to the Company and each of its subsidiaries. The cybersecurity program seeks to protect the enterprise against threats from cybersecurity risks, to comply with applicable laws and regulations, and to establish and enhance our processes for responding to cybersecurity events.
Among other things, the program includes the following components:
•security event monitoring and detection;
•extended detection and response;
•vulnerability scanning;
•security awareness and privacy training for personnel;
•phishing simulations; and
•a cybersecurity incident response team.
The Company also engages third-party vendors and consultants, respectively, to perform audits and penetration tests.
The Company and its subsidiaries’ third-party service providers collect, process, and store certain information, including PII, PHI, or other confidential and proprietary information. We maintain a third-party vendor security risk management program to assess the cybersecurity risk and measures taken by such service providers. The program includes a third-party risk assessor, security risk reports, and formal business owner risk response.
During the period covered by this report, the Company has not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Risks from cybersecurity threats, however, in the future may, among other things, cause material disruptions to our or our subsidiaries’ operations, which may materially affect our liquidity, results of operations and financial condition, as well as damage our reputation. For additional information related to risks from cybersecurity threats, please refer to Item 1.A. — “Risks Related to Our Business and Industry — Our failure to protect our sites, networks, and systems against security breaches, or otherwise to protect our confidential or health information or the confidential or health information of our members, providers, or other third parties, could damage our reputation and brands, and substantially harm our business and results of operations.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We maintain a cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework’s guidance and HIPAA, which applies to the Company and each of its subsidiaries. The cybersecurity program seeks to protect the enterprise against threats from cybersecurity risks, to comply with applicable laws and regulations, and to establish and enhance our processes for responding to cybersecurity events.
Among other things, the program includes the following components:
•security event monitoring and detection;
•extended detection and response;
•vulnerability scanning;
•security awareness and privacy training for personnel;
•phishing simulations; and
•a cybersecurity incident response team.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company’s Board of Directors (the “Board”) oversees the Company’s overall risk management program, and has assigned oversight of cybersecurity risk management to its Audit Committee. The Audit Committee reviews the adequacy and effectiveness of the Company’s cybersecurity policies and internal controls regarding information and cybersecurity, and together with the full Board, regularly receives reports from our management, including our Chief Information Security Officer (the “CISO”) on cybersecurity matters, including, but not limited to: AI Security, Security Awareness, Internal Risk, Third-Party Risk, IR / DR Readiness, Access Control IAM/PAM, HIPAA Security Rule Compliance, Phishing, Security Monitoring, Vulnerability Management, Application Security, Governance, Data Security, and Cloud Security.
The Company’s CISO is responsible for developing and managing the cybersecurity program, including security incident response, remediation, and setting security policy and standards required by applicable law or regulation. The CISO holds a dual-accredited Executive MBA, and Certified Information Security Manager ("CISM"), Certified Information Systems Auditor ("CISA") and Certified Data Privacy Solutions Engineer ("CDPSE") certifications. The security team holds multiple certifications including but not limited to CISSP, CRISC, CCSFP, and AWS CP, a bug bounty hall of fame member, and a range of experience with different firms. The CISO is informed by the cybersecurity team about the prevention, detection, mitigation, and remediation of cybersecurity incidents through general communications, and reporting. The cybersecurity team is made aware of security risks and incidents by various means including our SIEM, assessments, audit, threat feeds, and security team connections and network.
Depending on the circumstances, information regarding cybersecurity risks and incidents may be elevated from the CISO and his team through a variety of different channels, including risk response forms as part of our formal security risk process, discussions with the Audit Committee and reports to the Board on a quarterly basis.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s Board of Directors (the “Board”) oversees the Company’s overall risk management program, and has assigned oversight of cybersecurity risk management to its Audit Committee. The Audit Committee reviews the adequacy and effectiveness of the Company’s cybersecurity policies and internal controls regarding information and cybersecurity, and together with the full Board, regularly receives reports from our management, including our Chief Information Security Officer (the “CISO”) on cybersecurity matters, including, but not limited to: AI Security, Security Awareness, Internal Risk, Third-Party Risk, IR / DR Readiness, Access Control IAM/PAM, HIPAA Security Rule Compliance, Phishing, Security Monitoring, Vulnerability Management, Application Security, Governance, Data Security, and Cloud Security.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company and its subsidiaries’ third-party service providers collect, process, and store certain information, including PII, PHI, or other confidential and proprietary information. We maintain a third-party vendor security risk management program to assess the cybersecurity risk and measures taken by such service providers. The program includes a third-party risk assessor, security risk reports, and formal business owner risk response.
|Cybersecurity Risk Role of Management [Text Block]
|The Company’s Board of Directors (the “Board”) oversees the Company’s overall risk management program, and has assigned oversight of cybersecurity risk management to its Audit Committee. The Audit Committee reviews the adequacy and effectiveness of the Company’s cybersecurity policies and internal controls regarding information and cybersecurity, and together with the full Board, regularly receives reports from our management, including our Chief Information Security Officer (the “CISO”) on cybersecurity matters, including, but not limited to: AI Security, Security Awareness, Internal Risk, Third-Party Risk, IR / DR Readiness, Access Control IAM/PAM, HIPAA Security Rule Compliance, Phishing, Security Monitoring, Vulnerability Management, Application Security, Governance, Data Security, and Cloud Security.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s Board of Directors (the “Board”) oversees the Company’s overall risk management program, and has assigned oversight of cybersecurity risk management to its Audit Committee.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO holds a dual-accredited Executive MBA, and Certified Information Security Manager ("CISM"), Certified Information Systems Auditor ("CISA") and Certified Data Privacy Solutions Engineer ("CDPSE") certifications. The security team holds multiple certifications including but not limited to CISSP, CRISC, CCSFP, and AWS CP, a bug bounty hall of fame member, and a range of experience with different firms.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company’s CISO is responsible for developing and managing the cybersecurity program, including security incident response, remediation, and setting security policy and standards required by applicable law or regulation.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef