AdaptHealth Corp. - (AHCO)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

AdaptHealth has physical, technical, and administrative security measures in place for Information Technology ("IT") systems, including a disaster recovery plan, designed to identify, protect, detect and respond to, and manage reasonably foreseeable cybersecurity risks and threats. AdaptHealth leverages applicable guidelines from standards such as the National Institute of Standards and Technology (“NIST”) Special Publication 800, and its disaster recovery plan is managed by AdaptHealth’s Chief Technology Officer (the “CTO”), Chief Information Officer (the “CIO”) and Chief Information Security Officer (the “CISO”), in collaboration across lines of business and corporate functions. AdaptHealth has internal programs to identify and remediate vulnerabilities in its infrastructure and applications, and it deploys market leading defense tools to protect and secure its network and data. These vulnerabilities and threats are also proactively monitored by AdaptHealth’s third party cybersecurity service providers.

AdaptHealth’s security measures aim to prevent cyber threats and vulnerabilities. This includes a vendor management and risk assessment program to ensure the third party environments in which AdaptHealth’s data is stored or processed are built to standards sufficient to satisfy HIPAA security requirements. This includes a risk-based due diligence process in selecting third-party service providers, which covers the third-party vendor’s general IT controls and IT facilities used to service AdaptHealth’s business. AdaptHealth believes that these processes are essential to support its compliance, internal controls and efficiency initiatives.

During the period covered by this report, AdaptHealth has not identified any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect AdaptHealth, including its business strategy, results of operations or financial condition. For further discussion on AdaptHealth’s risks from cybersecurity threats, see Item 1A, Risk Factors -AdaptHealth’s business depends on its information systems, including software licensed from third parties, and any failure or significant disruptions of these systems, security breaches or loss of data could materially affect our business, results of operations and financial condition.”
Cybersecurity Governance

AdaptHealth’s Board of Directors is responsible for oversight of AdaptHealth's cyber risk management program, including risk identification, mitigation strategy and efforts, and resources. AdaptHealth’s cybersecurity program is led by AdaptHealth’s CTO, CIO and CISO, who provide periodic updates to the Audit Committee of AdaptHealth's Board of Directors about the program, including information about cyber risk management governance and the status of ongoing efforts to strengthen cybersecurity effectiveness. The CTO, CIO and CISO are senior-level executives with over fifty years of combined experience in the areas of cybersecurity and information technology. Prior to their current roles, the CTO, CIO and CISO previously served in similar positions at other reputable companies, including Fortune 500 companies.

AdaptHealth's Audit Committee is responsible for reviewing AdaptHealth's cybersecurity risks and incidents, and for overseeing management’s controls over information security. The Audit Committee considers and reviews, at least annually, with the Company's CTO, CIO and CISO, the adequacy and effectiveness of the Company’s monitoring of, and system of internal controls over, cybersecurity matters, including data and privacy protection policies and programs and the cybersecurity materiality matrix utilized to determine timely disclosures. The Audit Committee also discusses any
35

Table of Contents
significant cybersecurity incidents or risk exposures that have come to management’s attention during the conduct of their assessments and the steps management has taken to mitigate such exposures.