²»Á¼Ñо¿Ëù

Ìý

Ìý

Ìý

Ìý

Ìý

Ìý

²»Á¼Ñо¿Ëù is dedicated to being a trusted partner to those we serve, including our members, employees, and business partners, by responsibly managing and protecting their confidential information. As technology continues to advance and more information is digitized, security and privacy practices remain critical to protecting confidential information. To support governance, controls, and transparency, our information security and privacy programs are embedded in our enterprise-wide risk management practices.

Risk Governance

²»Á¼Ñо¿Ëù integrates information security risk management into its broader enterprise risk and compliance framework. The Board of Directors has primary oversight of enterprise-wide risk management, including data privacy and security risks, which are overseen through the Audit and Compliance Committee and the Quality Committee.

Day-to-day management of privacy and cybersecurity is led by our Chief Security and Privacy Officer (CSPO) and Chief Information Security Officer (CISO). Our CSPO is responsible for overseeing the day-to-day operation of our data privacy and security risk management programs. Our CISO oversees our security operations, including identity and access management functions, cybersecurity incident response operations and the effective operation of the suite of security tools we employ. Both leaders work closely with the Enterprise Risk Committee and the Board to identify, assess, and mitigate emerging threats and to ensure that privacy and cybersecurity remain top enterprise priorities.

Privacy Practices

°ä±ð²Ô³Ù±ð²Ô±ð’s Code of Conduct establishes our responsibility to safeguard confidential information across all lines of business. Our privacy policies define how we collect, use, and protect member data, and outline the rights members have to access their information and raise concerns about its collection, sharing, or use. We maintain transparency through a publicly available Notice of Privacy Practices, which explains how member data is used and the steps members can take to exercise their rights. Ìý

Our Enterprise Data Privacy Programs underscore our commitment to compliance with all applicable laws and regulations. Each year, we assess our programs against the HITECH Act and HIPAA Privacy and Security Rules to ensure ongoing adherence. The programs also mandate routine audits of key areas of the company’s operations against privacy program requirements and implements corrective actions as needed. Ìý

Employees receive regular training on privacy requirements and all vendors handling sensitive data must adhere to °ä±ð²Ô³Ù±ð²Ô±ð’s privacy and security standards.

Building A Culture Of Information Security

²»Á¼Ñо¿Ëù promotes a culture of shared accountability for information security, recognizing that employees are our first line of defense. ²»Á¼Ñо¿Ëù also protects data through an information security program that includes technical, administrative, and physical controls intended to prevent security incidents and reduce their potential impact. Ìý

All employees, including contractors, are required to complete annual information security and privacy training, with additional role-based training provided as needed. These programs ensure team members understand their responsibilities and are prepared to safeguard °ä±ð²Ô³Ù±ð²Ô±ð’s information assets. Ìý

Our information security program conforms with ISO 27001 and is certified by an accredited organization.

Crisis Response

²»Á¼Ñо¿Ëù continuously monitors threats and invests in the resilience of our systems. Our Business Continuity Management and Disaster Recovery programs provide coordination, oversight, and ongoing monitoring to prepare for and respond to incidents and business disruptions. The program includes business impact analysis, vulnerability analysis, training, exercising, risk assessments, and other components of a comprehensive program. Ìý