2021 CORPORATE RESPONSIBILITY REPORT I 70 Cybersecurity and data privacy are highest-level priorities (continued) • Our data privacy program is supported by a comprehensive set of policies and procedures that describe appropriate uses of data and the administrative, technical, and physical safeguards we have in place to protect the privacy and confidentiality of the information with which we are entrusted. We adhere to HIPAA’s minimum necessary standard, which requires that we limit the use or disclosure of protected health information (PHI) to only what is necessary to accomplish the intended purpose of a particular use, disclosure, or request. We have a well- established program to receive, investigate, and respond to privacy complaints. As set forth in our Code of Ethics, all employees have a duty to report potential or suspected violations of company policy or the law, including those involving data privacy. When a breach occurs, we take corrective action to address the breach and implement proactive measures to help reduce the risk of future breaches. • Our cybersecurity program incorporates standards, processes, and activities over best practice domains, such as governance, access controls, facility and data protection, IT systems and data transmission security, threat intelligence and incident response, third-party risk management, disaster recovery, and vulnerability management. • At our facilities, we employ strong physical security measures, including limiting access to authorized employees, requiring visitors to be escorted at all times, utilizing environmental security controls, and maintaining secured storage areas for confidential information. • Our Strategic Threat and Intelligence Center manages our threat landscape and uses a variety of security technology and threat intelligence tools designed to detect, prevent, block, analyze, and respond to cybersecurity threats. • We have a well-established incident response program that is reviewed and tested annually. • Due to the constantly changing nature of technologies and security concerns, we regularly conduct audits and risk assessments and review our security and privacy policies and procedures. • Our cybersecurity program is based on the National Institute of Standards and Technology’s NIST 800 Special Publication Information Security standard. The cybersecurity program is aligned with the company’s ERM function. • We educate employees through cybersecurity awareness and data privacy training programs at least annually. Our training activities are designed to educate employees on important subjects (eg, protecting patient privacy; ensuring safe data storage and transit; and recognizing potential cybersecurity attacks) and to build awareness about cybersecurity and data privacy risks (eg, through security awareness challenges, alerts, and simulated phishing campaigns). We also conduct training exercises to simulate emergent threats and scenarios that could arise from potential cybersecurity attacks and data breaches, improving the effectiveness of our incident response and business restoration procedures. • We maintain programs designed to assess and address the security and data privacy risks of our suppliers, outsourcing partners (including with respect to revenue cycle management), potential acquisition targets, and other business partners (both at the beginning of a relationship and on an ongoing basis, as appropriate, based on risk). It is our policy to enter business associate agreements with vendors that obtain, maintain, use, or disclose PHI on our behalf; these vendors agree to safeguard the PHI as required by HIPAA. We also have policies and procedures in place that govern data transfers to third parties, including appropriate methods and controls, such as standard contractual requirements. • Our cybersecurity program and policies are aligned with appropriate, widely recognized standards, such as NIST, PCI, the Payment Card Industry (PCI) Data Security Standard, the System and Organization Controls for Service Organizations 2 (SOC 2), ISO 9001:2015 and ISO 15189, and Sarbanes-Oxley. • We are a participating member of the Health Information Sharing and Analysis Center (H-ISAC), a health-industry forum focused on cyber and physical security threats. • We have engaged with US intelligence and law enforcement agencies to make faster, more informed security decisions to identify, respond to, mitigate, and prevent cybersecurity threats. • We carry insurance for cyber-related incidents and breaches at industry-standard levels. The policy, including types and amounts of coverage, are reviewed annually. For more information on our board committees, including the Cybersecurity Committee, please refer to our 2022 Proxy Statement. For more information on risks relating to cybersecurity and how we mitigate such risks, please refer to our 2021 Annual Report on Form 10-K. TABLE OF CONTENTS 2021 OVERVIEW COVID-19 RESPONSE PROMOTING A HEALTHIER WORLD CREATING AN INSPIRING WORKPLACE BUILDING VALUE REFERENCES •