DAVITA INC. 10-K Cybersecurity GRC - 2026-02-11

Page last updated on February 11, 2026

DAVITA INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 16:06:39 EST.

Company Summary

DaVita is a provider focused on transforming care delivery to improve quality of life for patients globally.

Filings

10-K filed on 2026-02-11

DAVITA INC. filed a 10-K at 2026-02-11 16:06:39 EST
Accession Number: 0000927066-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Information security risks have significantly increased in recent years in part because of the proliferation of new technologies, the increasing use of the Internet and telecommunications technologies to conduct our operations, and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties, including, among others, foreign state agents. Our business and operations rely on the secure and continuous processing, transmission and storage of confidential, proprietary and other information in our computer systems and networks, including, but not limited to, sensitive personal information, such as protected health information (PHI), social security numbers, and/or credit card information of our patients, teammates, physicians, business partners and others. Our business and operations also rely on certain critical IT vendors that support such processing, transmission and storage (which have become more relevant and important given the information security issues and risks that are intensified through our increased use of remote work arrangements). To manage risks to our Company, including information and security risks, our Board oversees our enterprise-wide approach to risk management with a fundamental belief that the key components of risk management are: - Identifying potential risks that we face; - Assessing the likelihood and potential impact of the risks; - Adopting strategies and controls designed to manage the risks; - Reporting on a regular basis regarding the assessment and management of the risks; and - Monitoring these potential risks on a regular basis. Our Enterprise Risk Management (ERM) team supports this risk management process, and evaluates risks to the enterprise on short, intermediate and long-term bases. Our ERM team reports to our ERM Committee, a group comprised of members of senior management who meet on a regular basis to oversee the performance of these risk management functions. We assess risks using a probability-magnitude lens, with shorter and intermediate term risks generally given greater weight. We prioritize mitigating activities on shorter and intermediate term risks, but also use risk analyses and oversight to proactively incorporate mitigating activities into our long-term strategy. The ERM process reflects a Company-wide effort designed to identify, assess, manage, report and monitor enterprise risks and risk areas. This effort includes the Company's Enterprise Risk Services (Internal Audit), Sarbanes-Oxley (SOX), Compliance Audit, Legal and IT Security teams, among others. The identification and evaluation of cybersecurity threats and risks is integrated into this ERM process. The ERM process is incorporated into our disclosure controls and procedures. Representatives of each of our ERM, Legal, Internal Audit and Compliance Audit teams sit on the Company's management Disclosure Committee, which is responsible for, among other things, the design and establishment of disclosure controls and procedures to help ensure the timeliness, accuracy and completeness of our corporate disclosures. Our IT Security and Privacy teams, who are responsible for assessing cybersecurity threats and risks, in turn maintain policies and procedures designed to ensure appropriate escalation of cybersecurity incidents to meet applicable external disclosure requirements. Our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) regularly meet and coordinate with our Chief Privacy Officer (CPO). Each of the CIO, CISO and CPO also advise members of the Disclosure Committee, including our Chief Legal and Public Affairs Officer (CLO), on disclosure matters on an as-needed basis. With respect to assessing privacy, data and cybersecurity risks, the Company adopts a hybrid approach that is designed to align primarily with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 (2024) (NIST Cybersecurity Framework), including the guidance set forth in the NIST "Special Publication (SP) 800 66r2 (Revision 2), certain elements of Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, while also evaluating, where appropriate, against certain elements of the International Standards Organization (ISO) ISO/IEC 27001:2002 "Information security, cybersecurity and privacy protection - Information security 45 management systems - Requirements" and ISO/IEC 27002:2002 "Information security, cybersecurity and privacy protection - Information security controls" that management believes provide additional reasonable levels of guidance or structure. We regularly evaluate the Company's cybersecurity and privacy processes and procedures, both through regular audits by our Internal Audit and IT Security teams, as well as regular retention of outside advisors under the direction of our IT Security team. Among other things, in recent years, including in 2025, we have conducted an approximately biennial third party review that evaluates the maturity of our cybersecurity program against components of the NIST CSF and provides an assessment that measures Capability Maturity Model Integration levels . Additionally, our CISO engages in regular consultations, typically monthly, with third-party cybersecurity advisors. Among other things, these sessions provide the Company with a broader review of the external cybersecurity environment, helping us to stay current on emerging or developing security approaches and risks. Among other initiatives, our CISO and the Company's IT Security team actively participate in industry conferences and maintain memberships to resources such as the Health Information Sharing and Analysis Center (Health-ISAC), a trusted community of critical infrastructure owners and operators within the Health Care and Public Health sector which, among other things, allows the Company to monitor email updates and alerts coordinated with the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. In order to maintain awareness of privacy, data and cybersecurity risks, the Company incorporates these topics into its annual compliance training materials that are mandatory for all teammates and new hires, and among other things cover HIPAA privacy and security requirements. We maintain policies and have established processes involving our IT Security, Privacy and Legal teams that assess potential cybersecurity risks associated with our retention and use of third-party service providers. These policies and procedures are generally aligned with the NIST CSF. Prior to retaining or renewing a third-party vendor, the Company policy requires a risk assessment of such potential new vendor or engagement through a collaborative process among the Company's IT Security, Privacy, Insurance and Legal teams, among others. Potential vendor engagements also are reviewed to assess a range of other considerations and contractual terms and conditions, including, among other things, a potential vendor's privacy data protections. Our IT SOX team also conducts annual SOX reviews for those vendors that are considered in scope for SOX controls. All finalized vendor engagements are considered by Internal Audit as part of our ordinary course risk assessment and audit planning. Cybersecurity Risks and the Impact on our Company Due to continuously evolving laws and regulations related to cybersecurity, data protection and privacy that are applicable to our business, as well as the associated risks from cybersecurity threats, we have expended significant resources in order to protect our information systems and data. We regularly review, monitor and implement multiple layers of security measures through technology, processes and our people. We utilize security technologies designed to protect and maintain the integrity of our information systems and data, and our defenses are monitored and routinely tested internally and by external parties. Despite these efforts, our facilities and systems and those of our third-party service providers may be vulnerable to privacy and security incidents; security attacks and breaches; acts of vandalism or theft; computer viruses and other malicious code; coordinated attacks by a variety of actors, including, among others, activist entities or state sponsored cyberattacks; emerging cybersecurity risks; cyber risk related to connected devices; misplaced or lost data; programming and/or human errors; or other similar events that could impact the security, reliability and availability of our systems and the availability, authenticity, integrity and/or confidentiality of information stored on those systems, such as personal or other sensitive information. Internal and external parties have attempted to, and will continue to attempt to, circumvent our security systems, and we have in the past, and expect that we will in the future, defend against, experience, and respond to attacks on our network including, without limitation, reconnaissance probes, denial of service attempts, malicious software attacks including ransomware or other attacks intended to render our internal operating systems or data unavailable, and phishing attacks or business email compromise. We have experienced cybersecurity incidents in the past, including the previously disclosed cyber incident in April 2025 that impacted our network, resulted in the exfiltration of certain data, including PII and PHI, and disrupted our operations. We have restored all relevant business functions and patient care continued throughout the incident and incident response. The incident adversely impacted our billing and revenue collection cycles, among other things, and we continue to incur expenses and engage in workforce activities for ongoing remediation activities and related litigation and regulatory matters. To date neither this incident nor any other cyber incident has had a material adverse impact on our business, results of operations, financial condition and cash flows. Cybersecurity requires ongoing investment and diligence against evolving threats and in the context of new or developing technologies. For further information regarding the risks we face from cybersecurity threats and how our business strategy, results of operations, and financial condition could be materially affected by such risks, see Part I Item IA. " Risk Factors " under the heading " If we fail to maintain the integrity of our data, protect our proprietary rights to our systems or defend against cybersecurity attacks... " 46 Governance Board Oversight As part of its oversight responsibilities, the Audit Committee monitors privacy, data and cybersecurity as specific risk areas and regularly reports to the Board on these topics. The Audit Committee also works with the Compliance and Quality Committee to oversee enterprise risks with healthcare and anti-corruption requirements, and those requirements include certain privacy, data and cybersecurity aspects. Three of our Board members, Mr. Schechter, Dr. Moore and Ms. Schoppert, with Mr. Schechter and Ms. Schoppert serving as members of the Audit Committee, individually hold a NACD CERT Certificate in Cyber-Risk Oversight. As part of that oversight function, the Audit Committee reviews and discusses key privacy, data, and cybersecurity risk exposures with management, and generally receives reports from the ERM team and the CIO or their respective designees on a quarterly basis. On a periodic basis, the full Board of Directors also receives reports from the ERM team and the CIO. The CPO and/or CLO periodically reports to the Audit Committee about the Company's privacy program, and Internal Audit reports to the Audit Committee quarterly, providing the Audit Committee with results from any privacy, data, or cybersecurity audits. The Audit Committee also oversees the Company's negotiation of any cybersecurity insurance. Currently, the Company maintains a cybersecurity risk insurance policy providing coverage for certain cybersecurity breaches among other specified risks. Management Among other things, the Company's Privacy team creates, updates and implements policies and procedures that are designed to comply with privacy laws and requirements in the countries in which we do business. Working with Internal Audit and the CIO, the Privacy team also proactively assesses the nature and potential severity of privacy risks within DaVita and takes steps to help mitigate such risks. As referenced above, our IT Security team, in consultation with our Privacy team, is primarily responsible for frontline assessments and management of day-to-day risks from cybersecurity threats, including the monitoring and detection of cybersecurity incidents. The CIO, CISO, IT Security team and Privacy team collectively conduct incident response with respect to cybersecurity events that may threaten the privacy and security of personal data, including PHI. Pursuant to the Company's incident response plans, the teams are responsible for assessing and classifying cybersecurity incidents and coordinating the response to such incidents, including managing both internal and external reporting obligations and remediation efforts. Our IT security team also operates a 24x7 security operations center. This dedicated center, alongside active monitoring of the dark web for DaVita-related data, and our use of both internal and external tools, is designed to ensure proactive detection, prevention and remediation of cybersecurity incidents. We inform and develop this integrated approach through our ongoing internal and external evaluations and risk assessments of our IT security program as described above. As discussed above, key personnel responsible for privacy and cybersecurity expertise include our CIO, CISO and CPO. Their qualifications include expertise in international privacy laws, compliance, global IT strategy, and security responsibilities, helping to ensure a comprehensive approach to risk management. Our CISO has more than two decades of experience in information technology risk and compliance and holds a Certified Chief Information Security Officer certification from EC-Council, a Certified Information Security Manager certification from ISACA and a certification from the Massachusetts Institute of Technology on AI management in healthcare. Our CPO is a Certified Information Privacy Professional and a Certified Compliance and Ethics Professional, and has more than two decades of experience in creating and implementing privacy and data protection programs that enable multinational organizations to respect and protect personal data and execute mission critical business strategies.

Company Information