CHEMED CORP 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

CHEMED CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 09:36:24 EST.

Filings

10-K filed on 2026-02-27

CHEMED CORP filed a 10-K at 2026-02-27 09:36:24 EST
Accession Number: 0001562762-26-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company treats cybersecurity risk seriously and is focused on maintaining and regularly updating the security of our systems, networks, technologies and data. The number and sophistication of attempts to disrupt or penetrate our systems continues to grow, specifically including the rapid increase of attempts against healthcare companies that has been observed since early 2022. To combat the ever-increasing sophistication of cyberattacks including the potential use of AI by threat actors, we continuously work to improve methods for detecting and preventing attacks. We have implemented policies and procedures and developed specific training for our employees, including regular updates and reminders, to help prevent and mitigate any issues that may be caused by any attacks. Further, we regularly engage independent third-party cyber experts to test for vulnerabilities in our environment. We also conduct our own internal simulations to help assess and strengthen our defenses. Despite these safeguard measures, on October 24, 2025, VITAS learned that an account belonging to a third-party vendor attempted to deploy a tool often used by threat actors in VITAS' information technology environment (the "Environment"). VITAS' security team took immediate actions to contain and remove the intrusion, implemented remedial measures, and notified the third-party 21 vendor in accordance with its cyber incident response process. VITAS and external cybersecurity experts began an investigation into the incident. Through continued investigation, including through multiple outside vendors, VITAS ascertained certain information, including protected health information ("PHI") of VITAS' current and former patients, was viewed. Additionally, on October 29, VITAS received a notice from a threat actor claiming to have unlawfully accessed the Environment and taken significant amounts of data. The notice threatened the release of the data unless it received a monetary payment. VITAS successfully negotiated with the threat actor, made a payment, and obtained assurances from the threat actor that the PHI was not provided to any other third parties and has since been destroyed. The threat actor provided VITAS with evidence of the deletion of the files. VITAS has complied with the regulatory and legal notifications which are required as a result of this incident. VITAS and third-party forensic analysts believe that the incident was contained, the threat actor was removed, and that the intrusion was limited to data theft and did not, and is not expected to, materially affect the operation of the Environment or its financial or operational systems. Cyber insurance has covered all costs incurred by VITAS above its $500,000 deductible. Management currently believes the cyber insurance limits are sufficient to cover all remaining costs from this incident. We acknowledge and have experienced that cyberattack risk may occur with our third-party technology service providers. As described above, the incident arose from a compromised third-party vendor's account. Additionally, high-profile cyberattacks have occurred at healthcare companies, credit bureaus, financial institutions, and other businesses for the purpose of acquiring the confidential information of individuals, including potential customers and patients. We take significant measures to prevent and mitigate issues caused by any such attacks, including outreach to our providers and other third-parties that we engage with, in order to ascertain any potential downstream implications of known breaches. Following the incident we have further strengthened our security permissions on these vendors and their access to our system. The Company has integrated our cybersecurity prevention and mitigation processes into our overall risk management system and processes. The Chief Technology Officer of Roto-Rooter and the Chief Technology Officer and Chief Information Officer of VITAS are senior executives, with decades of experience in preventing, assessing and managing cybersecurity threats in the private sector as well as government. Both Roto-Rooter and VITAS employ teams of experienced cybersecurity professionals who report to the respective Chief Technology Officer and Chief Information Officer. Both businesses have security incident response plans, pursuant to which they report on the cybersecurity status of the businesses to the Company's Chief Financial Officer and Controller and Chief Legal Officer both regularly as a matter of course, as well as in the event of any potentially material incident including the incident described above. Additionally, Company senior management reports to the Audit Committee on cybersecurity issues on a regular basis, multiple times a year as part of the committee's role in enterprise risk management. The Audit Committee 's reports to the board after these sessions include the discussions of the cybersecurity risk management process. The reports include information on any attacks or potential breaches within the Company as well as security events at third-party providers when the breach or potential breach may affect the Company. This process allows the Company to involve both senior management and third-party service providers, including forensic analysts, other cyber experts, and outside counsel, as necessary in order to combat potential threats and help ensure appropriate and timely responses to threats, and mitigation and remediation of any incidents. While we have significant internal resources, policies and procedures designed to prevent or limit the effect of another failure, interruption or security breach of our information systems, there can be no assurance that any such failure, interruption or security breach will not occur in the future, or if they do occur, that they will be adequately addressed. Please also reference additional disclosures about cybersecurity in Item 1A Risk Factors, under both Roto-Rooter and VITAS sections.

Company Information