UNIVERSAL HEALTH REALTY INCOME TRUST 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

UNIVERSAL HEALTH REALTY INCOME TRUST reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:16:01 EST.

Filings

10-K filed on 2026-02-25

UNIVERSAL HEALTH REALTY INCOME TRUST filed a 10-K at 2026-02-25 16:16:01 EST
Accession Number: 0001193125-26-071594

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity In connection with the advisory agreement with a wholly-owned subsidiary of UHS, as discussed herein, we utilize certain of UHS' information technology ("IT") applications, consisting primarily of financial data applications. In addition, UHS and our third-party property managers rely extensively on IT systems to, as applicable, manage clinical and financial data, communicate with patients, tenants, payers, vendors and other third parties ; and to summarize and analyze operating results. These various IT systems, and the networks and information systems of third parties that we, UHS and our third-party property managers rely on, are subject to damage or interruption from power outages, facility damage, computer and telecommunications failures, computer viruses, security breaches including credit card or personally identifiable information breaches, vandalism, theft, natural disasters, catastrophic events, human error and potential cyber threats, including malicious codes, worms, phishing attacks, denial of service attacks, ransomware and other sophisticated cyber-attacks, and our disaster recovery planning cannot account for all eventualities. These systems, in turn, interface with, and rely on, third-party systems that we do not control. Third parties to whom we outsource certain of our functions, or with whom our systems interface and who may, in some instances, store our sensitive and confidential data, are also subject to the risks outlined above and may not have or use controls effective to protect such information. An attack, breach or other system disruption affecting any of these third parties could similarly harm our business. Cybersecurity Risk Management and Strategy As cyber criminals continue to become more sophisticated through evolution of their tactics, techniques and procedures, we, UHS and our third-party property managers have taken, and will continue to take, additional preventive measures to strengthen the cyber defenses of the collective networks and data. Protecting data, which includes information related to clinical and financial data, and communications with patients, tenants, payers, vendors and other third parties is a primary area of focus for us, UHS, and our third-party property managers. Given the critical nature of this information, certain cybersecurity risk management programs were implemented to assess, identify, and manage risks associated with cybersecurity threats as identified in Item 106(a) of Regulation S-K. UHS has a multi-tier risk management structure that includes ongoing evaluation of applicable laws and regulations, internal policies and standards, technical vulnerabilities, threat intelligence, and resource adequacy. Such risks include operational, intellectual property theft, fraud, risks that have potential unfavorable impacts on employees and/or patients, and violation of data privacy or security laws. To address cybersecurity risks facing UHS, and in turn us, to the degree applicable, UHS has adopted a risk-informed and continuously evolving assessment process. UHS engages a third party to conduct a bi-annual National Institute of Technology-Cyber Security Framework assessment to determine the effectiveness of their program and related controls. The results of that assessment are reviewed by UHS' management and used to formulate prioritization of remediation efforts, strategic initiatives, and cybersecurity investments. Likewise, annual penetration tests occur to review the efficacy of technical controls, results which are reviewed by management of UHS and resolved in a timely manner. Other factors that feed into UHS' risk management practices are also operational events and incidents, which can lead to controls being reviewed and enhanced. 22 UHS' risk management practices also incorporate lessons learned from operational events, cybersecurity incidents, near misses, and changes in the external threat landscape, including emerging risks associated with ransomware, supply-chain dependencies, and the increasing use of artificial intelligence by threat actors. UHS has a mature incident response and recovery program in place in the event a cybersecurity incident occurs. This program defines roles, responsibilities and action plans designed to contain and eradicate the issue and then restore systems, in the event of a major disruption, in a timely manner. UHS' response planning emphasizes resilience and the ability to maintain critical operations, including clinical and patient-facing services, during and following a cybersecurity event. UHS regularly conduct tabletop exercises to simulate responses to an incident and implement any insight gained from those exercises to improve recovery practices. As part of these processes, UHS regularly engages with assessors, consultants, auditors, and other third parties to review UHS' cybersecurity program to help identify areas for continued focus, improvement, and compliance. UHS maintains a cybersecurity insurance policy that provides coverage for losses sustained from cybersecurity incidents. However, costs and damages associated with cybersecurity incidents may not be fully insured under the commercial policy, and (to the extent otherwise covered) are subject to applicable deductibles and limitations. For our the third-party property managers that manage a significant portion of our properties, we conduct periodic reviews of the policies and procedures they have established to detect, contain, eradicate, and restore systems in the event of a major disruption. Based on the information available as of the date of this Form 10-K, during our fiscal year 2025 and through the date of this filing, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us , including our business strategy, results of operations or financial condition. For more information on risks to us from cybersecurity threats, see " Risks Related to Business Operations - A cyber security incident could cause a violation of HIPAA, breach of member privacy, or other negative impacts. " under "Item 1A. Risk Factors." Governance of Cybersecurity The Audit Committee of our Board of Trustees is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive annual updates, and if and as warranted otherwise, regarding cybersecurity matters such as the evolving threat landscape, significant risks, incidents, control maturity, and progress against key cybersecurity initiatives. UHS' cybersecurity risk management and strategy processes are overseen by its Chief Information Security Officer along with leaders from our information security, compliance, legal and internal auditing teams . These leaders collectively possess substantial experience across information security, healthcare compliance, risk management, audit, and technology operations. They are responsible for monitoring the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including oversight of our incident response and recovery capabilities. 23

Company Information