Subsequent Events

9 Months Ended

Sep. 30, 2023


12. Subsequent Events

Amendment to the Stockholder Rights Agreement

On October 2, 2023, we entered into the Amendment to the Stockholder Rights Agreement, dated as of October 2, 2023 (the “Amendment”), which amended the Stockholder Rights Agreement, dated as of October 7, 2022 (the “Rights Agreement”), by and between the Company and Equiniti Trust Company, LLC (f/k/a American Stock Transfer & Trust Company, LLC) as rights agent.

The Amendment extends the final expiration date of the Rights Agreement from October 2, 2023 to October 2, 2024. The Company expects to submit the Amendment to the Company’s stockholders for ratification at the Company’s 2024 annual meeting of stockholders. Additional information regarding the Amendment, including a copy of the Amendment, is contained in the Company’s Current Report on Form 8-K filed with the SEC on October 2, 2023.

Security Incident Multi-state Attorneys General Settlement

On October 5, 2023, the Company entered into separate, substantially similar Administrative Orders with each of 49 state Attorneys General and the District of Columbia relating to the previously announced 2020 Security Incident in which a cyber criminal removed a copy of a subset of data from our self-housed environment. This settlement fully resolves the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident (the “Multi-state Investigation”), which is further described in the substantially similar Administrative Orders filed in each of the 49 states and the District of Columbia.

Under the terms of the Administrative Orders, we have agreed: (i) to comply with state consumer protection laws, data breach notification laws, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (ii) not to make misleading misrepresentations to our customers or the individuals whose data is stored by us concerning (a) the extent to which we protect the privacy, security, confidentiality, or integrity of certain data, (b) the likelihood that data impacted by a security incident may be subject to unauthorized access, disclosure, or other misuse, or (c) the data breach notification requirements; and (iii) to implement and improve certain cybersecurity programs and tools.

As part of the Administrative Orders, we also agreed to pay a total of $49.5 million to the 49 states and District of Columbia. We expect to pay the full settlement amount to each state and the District of Columbia during the fourth quarter of 2023 from our existing liquidity. This amount was fully accrued as a contingent liability in our financial statements as of June 30, 2023.

We entered into the Administrative Orders without admitting fault or liability in connection with the matters subject to the Multi-state Investigation. The form of Administrative Order was furnished as Exhibit 99.2 to the Company’s Current Report on Form 8-K filed with the SEC on October 5, 2023.

As previously disclosed, the Office of the Attorney General of the State of California did not participate in the Multi-state Investigation and has issued a separate Civil Investigative Demand related to the Security Incident, which has not been resolved. Although we are hopeful that we can resolve this matter on acceptable terms, there is no assurance that we will be able to do so on terms acceptable to us and to the State of California.