Common use of Information Technology; Data Protection Clause in Contracts

Information Technology; Data Protection. The IT Assets owned by, controlled by, or otherwise used in the conduct of the businesses of Amedisys and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys. Since January 1, 2021, to the knowledge of Amedisys, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosure, unauthorized use, failures or unplanned outages or other adverse integrity or security access incidents affecting the IT Assets owned by or controlled by Amedisys or its subsidiaries or any other persons to the extent used by or on behalf of Amedisys or its subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby), except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys. Since January 1, 2021, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys, (A) Amedisys and its subsidiaries (1) have been in compliance with all Privacy and Security Requirements and any binding industry standards applicable to the industry in which each of Amedisys or any of its subsidiaries operates, and (2) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge of Amedisys, since January 1, 2021, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled by, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys or any of its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys.

Information Technology; Data Protection. The IT Assets owned by, controlled by, by or otherwise used in the conduct of the businesses of Amedisys OPCH and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys by OPCH and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysOPCH. Since January 1, 2021, to the knowledge of AmedisysOPCH, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosure, unauthorized use, failures or unplanned outages or other adverse integrity or security access incidents affecting the IT Assets owned by or controlled by Amedisys OPCH or its subsidiaries or any other persons to the extent used by or on behalf of Amedisys OPCH or its subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby), except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysOPCH. Since January 1, 2021, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysOPCH, (A) Amedisys OPCH and its subsidiaries (1) have been in compliance with all Privacy and Security Requirements and any binding industry standards applicable to the industry in which each of Amedisys OPCH or any of its subsidiaries operates, and (2) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys OPCH and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; , (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys OPCH or any of its subsidiaries; , and (C) none of Amedisys OPCH or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge of AmedisysOPCH, since January 1, 2021, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled by, by or otherwise used in the conduct of the business of, Amedisys of OPCH or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys OPCH or any of its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysOPCH.

Information Technology; Data Protection. The IT Assets owned by, controlled by, or otherwise used in the conduct of the businesses of Amedisys UTC RemainCo and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys by UTC RemainCo and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysUTC. Since January 1, 20212017, to the knowledge of AmedisysUTC, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosuresecurity breaches, unauthorized useaccess, failures or unplanned outages or other adverse integrity or security access incidents (i) affecting the IT Assets owned by or controlled by Amedisys of UTC RemainCo or its subsidiaries or any other persons to the extent used by or on behalf of Amedisys UTC RemainCo or its subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby)) or (ii) resulting in a partial or complete loss of control of any products of UTC RemainCo or its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysUTC. Since January 1, 2021, except Except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysUTC, (A) Amedisys UTC RemainCo and its subsidiaries (1A) are and have been since January 1, 2017 in compliance with all Privacy Applicable Laws, as well as their own rules, policies and Security Requirements procedures, relating to privacy, data protection and any binding industry standards applicable to the industry in which each collection, retention, protection, transfer, use and processing of Amedisys or any of its subsidiaries operates, Personal Data and (2B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge of AmedisysUTC, since January 1, 20212017, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys UTC RemainCo or any of its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysUTC.

Information Technology; Data Protection. The IT Assets owned by, controlled by, or otherwise used in of Telaria and its Subsidiaries are adequate for the conduct of the businesses of Amedisys and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys. Since January 1, 20212017, to the knowledge Knowledge of AmedisysTelaria, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosuresecurity breaches, unauthorized useaccess, failures or unplanned outages or other adverse integrity or security access incidents affecting the IT Assets owned by or controlled by Amedisys of Telaria or its subsidiaries Subsidiaries or any other persons Persons to the extent used by or on behalf of Amedisys Telaria or its subsidiaries Subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby), in each case, except as, individually or and in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysTelaria. Since January 1, 2021, except Except as, individually or and in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysTelaria, Telaria and its Subsidiaries (A) Amedisys are and its subsidiaries (1) have been since January 1, 2017 in compliance with all Privacy Applicable Laws, as well as their own rules, policies and Security Requirements procedures, relating to privacy, data protection and any binding industry standards applicable to the industry in which each collection, retention, protection, transfer, use and processing of Amedisys or any of its subsidiaries operates, Personal Data and (2B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge Knowledge of AmedisysTelaria, since January 1, 20212017, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys Telaria or any of its subsidiariesSubsidiaries, in each case, except as, individually or and in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysTelaria.

Information Technology; Data Protection. The IT Assets owned by, controlled by, or otherwise used in of Rubicon Project and its Subsidiaries are adequate for the conduct of the businesses of Amedisys and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys. Since January 1, 20212017, to the knowledge Knowledge of AmedisysRubicon Project, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosuresecurity breaches, unauthorized useaccess, failures or unplanned outages or other adverse integrity or security access incidents affecting the IT Assets owned by or controlled by Amedisys of Rubicon Project or its subsidiaries Subsidiaries or any other persons Persons to the extent used by or on behalf of Amedisys Rubicon Project or its subsidiaries Subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby), in each case, except as, individually or and in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysRubicon Project. Since January 1, 2021, except Except as, individually or and in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysRubicon Project, Rubicon Project and its Subsidiaries (A) Amedisys are and its subsidiaries (1) have been since January 1, 2017 in compliance with all Privacy Applicable Laws, as well as their own rules, policies and Security Requirements procedures, relating to privacy, data protection and any binding industry standards applicable to the industry in which each collection, retention, protection, transfer, use and processing of Amedisys or any of its subsidiaries operates, Personal Data and (2B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge Knowledge of AmedisysRubicon Project, since January 1, 20212017, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys Rubicon Project or any of its subsidiariesSubsidiaries, in each case, except as, individually or and in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysRubicon Project.

Information Technology; Data Protection. The IT Assets owned by, controlled by, or otherwise used in the conduct of the businesses of Amedisys Raytheon and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys by Raytheon and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysRaytheon. Since January 1, 20212017, to the knowledge of AmedisysRaytheon, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosuresecurity breaches, unauthorized useaccess, failures or unplanned outages or other adverse integrity or security access incidents (i) affecting the IT Assets owned by or controlled by Amedisys of Raytheon or its subsidiaries or any other persons to the extent used by or on behalf of Amedisys Raytheon or its subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby)) or (ii) resulting in a partial or complete loss of control of any products of Raytheon or its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysRaytheon. Since January 1, 2021, except Except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysRaytheon, (A) Amedisys Raytheon and its subsidiaries (1A) are and have been since January 1, 2017 in compliance with all Privacy Applicable Laws, as well as their own rules, policies and Security Requirements procedures, relating to privacy, data protection and any binding industry standards applicable to the industry in which each collection, retention, protection, transfer, use and processing of Amedisys or any of its subsidiaries operates, Personal Data and (2B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge of AmedisysRaytheon, since January 1, 20212017, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys Raytheon or any of its subsidiaries, in each case, except as, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysRaytheon.

Information Technology; Data Protection. (a) The IT Assets owned by, controlled by, or otherwise used in of STX and its Subsidiaries are adequate for the conduct of the respective businesses of Amedisys STX and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys and its subsidiaries to adequately conduct their respective businesses Subsidiaries as currently conducted, except for insufficiencies or failures and currently anticipated to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisysconducted. Since January 1, 20212017, to the knowledge Knowledge of AmedisysSTX, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosuresecurity breaches, unauthorized useaccess, failures or unplanned outages or other adverse integrity or security access incidents affecting the IT Assets owned by or controlled by Amedisys of STX or its subsidiaries Subsidiaries or any other persons Persons to the extent used by or on behalf of Amedisys STX or its subsidiaries Subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby), in each case, except as, individually or in the aggregate, would not reasonably be expected to have be material to STX and its Subsidiaries, taken as a Material Adverse Effect on Amedisys. Since January 1, 2021, except as, whole. (b) Except as individually or in the aggregate, aggregate would not reasonably be expected to have a Material Adverse Effect on Amedisys, (A) Amedisys be material to STX and its subsidiaries Subsidiaries, taken as a whole, STX and its Subsidiaries (1a) are and have been since January 1, 2017 in compliance with all Privacy Applicable Laws, as well as their own rules, policies and procedures, relating to privacy, data protection and the collection, retention, protection, transfer, use and Processing of Personal Data (including Payment Card Industry Data Security Requirements and any binding industry standards applicable to the industry in which each of Amedisys or any of its subsidiaries operates, Standard (PCI DSS)) (“Data Security Requirements”) and (2b) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge Knowledge of AmedisysSTX, since January 1, 20212017, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys STX or any of its subsidiariesSubsidiaries. Neither STX nor any of its Subsidiaries has received any written notice alleging any violation or failure to comply with any Data Security Requirements, in each case, except as, individually or in the aggregate, would not reasonably be expected to have nor is it aware of any reasonable basis for such a Material Adverse Effect on Amedisysclaim.

Information Technology; Data Protection. The IT Assets owned by, controlled by, or otherwise used in the conduct of the businesses of Amedisys Company and its subsidiaries the Company Subsidiaries are sufficient for, in all material respects and operate and perform as needed byby the Company and the Company Subsidiaries, Amedisys and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures conducted and as contemplated to operate or perform that, individually or in be conducted by the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysCompany. Since January 1, 2021, to the knowledge of Amedisys2020, there have not been, and there are no known not currently, any vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches security breaches, intrusions or unauthorized access access, unauthorized use or disclosure, unauthorized use, failures or unplanned outages or other adverse integrity or security access incidents affecting (i) affecting, in a material manner, the material IT Assets owned by of the Company or controlled by Amedisys or its subsidiaries the Company Subsidiaries or any other persons Persons to the extent used by or on behalf of Amedisys the Company or its subsidiaries 24 the Company Subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby)) or (ii) resulting in a partial or complete loss of control, except asin a material manner, individually of any material products of the Company or in the aggregate, would not reasonably be expected to Company Subsidiaries. The Company and the Company Subsidiaries (A) are and have a Material Adverse Effect on Amedisys. Since been since January 1, 2021, except as, individually or 2020 in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys, (A) Amedisys and its subsidiaries (1) have been in material compliance with all Privacy applicable Laws, as well as their own rules, policies and Security Requirements procedures and any binding industry standards applicable all contracts to which they are bound, in each case to the industry in which each extent relating to privacy, data protection and the collection, retention, protection, transfer, use and processing of Amedisys or any of its subsidiaries operates, Personal Data and (2B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge of Amedisys, since Since January 1, 20212020, (i) to the Knowledge of the Company, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any IT Assets or any Personal Data maintained by or on behalf of Amedisys the Company or any of its subsidiariesthe Company Subsidiaries, (ii) the Company and the Company Subsidiaries have not notified or been required to notify any Person of any security breach or other incident affecting the IT Assets or any information or data stored or contained therein, and (iii) there have not been and are no Actions, complaints, citations or fines pending, issued to or received by, or, to the Knowledge of the Company, threatened against the Company or any Company Subsidiary by any Person with respect to privacy or other incidents, or with respect to the Company’s handling, use or processing of Personal Data within the Company’s possession or control, that, in each casethe case of (i), except as(ii) and (iii), were or are, individually or in the aggregate, would not reasonably be expected material to have a Material Adverse Effect on Amedisysthe business of the Company.

Information Technology; Data Protection. (a) The IT Assets owned by, controlled by, or otherwise used in of Eros and its Subsidiaries are adequate for the conduct of the businesses of Amedisys and its subsidiaries are sufficient for, and operate and perform as needed by, Amedisys and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures and currently anticipated to operate or perform that, individually or in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisysconducted. Since January 1, 20212017, to the knowledge Knowledge of AmedisysEros, there have not been, and there are no known vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches or unauthorized access or disclosuresecurity breaches, unauthorized useaccess, failures or unplanned outages or other adverse integrity or security access incidents affecting the IT Assets owned by or controlled by Amedisys of Eros or its subsidiaries Subsidiaries or any other persons Persons to the extent used by or on behalf of Amedisys Eros or its subsidiaries Subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby), in each case, except as, individually or in the aggregate, would not reasonably be expected to have be material to Eros and its Subsidiaries, taken as a Material Adverse Effect on Amedisys. Since January 1, 2021, except as, whole. (b) Except as individually or in the aggregate, aggregate would not reasonably be expected to have a Material Adverse Effect on Amedisys, (A) Amedisys be material to Eros and its subsidiaries Subsidiaries, taken as a whole, Eros and its Subsidiaries (1a) are and have been since January 1, 2017 in compliance with all Privacy and Data Security Requirements and any binding industry standards applicable to the industry in which each of Amedisys or any of its subsidiaries operates, and (2b) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge Knowledge of AmedisysEros, since January 1, 20212017, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any Personal Data maintained by or on behalf of Amedisys Eros or any of its subsidiariesSubsidiaries. Neither Eros nor any of its Subsidiaries has received any written notice alleging any violation or failure to comply with any Data Security Requirements, in each case, except as, individually or in the aggregate, would not reasonably be expected to have nor is it aware of any reasonable basis for such a Material Adverse Effect on Amedisysclaim.

Information Technology; Data Protection. The IT Assets owned by, controlled by, or otherwise used in the conduct of the businesses of Amedisys Company and its subsidiaries the Company Subsidiaries are sufficient for, in all material respects and operate and perform as needed byby the Company and the Company Subsidiaries, Amedisys and its subsidiaries to adequately conduct their respective businesses as currently conducted, except for insufficiencies or failures conducted and as contemplated to operate or perform that, individually or in be conducted by the aggregate, would not reasonably be expected to have a Material Adverse Effect on AmedisysCompany. Since January 1, 2021, to the knowledge of Amedisys2020, there have not been, and there are no known not currently, any vulnerabilities or defects that would reasonably be expected to result in, any Security Breaches security breaches, intrusions or unauthorized access access, unauthorized use or disclosure, unauthorized use, failures or unplanned outages or other adverse integrity or security access incidents affecting (i) affecting, in a material manner, the material IT Assets owned by of the Company or controlled by Amedisys or its subsidiaries the Company Subsidiaries or any other persons Persons to the extent used by or on behalf of Amedisys the Company or its subsidiaries the Company Subsidiaries (or, in each case, Personal Data and other information and transactions stored or contained therein or transmitted thereby)) or (ii) resulting in a partial or complete loss of control, except asin a material manner, individually of any material products of the Company or in the aggregate, would not reasonably be expected to Company Subsidiaries. The Company and the Company Subsidiaries (A) are and have a Material Adverse Effect on Amedisys. Since been since January 1, 2021, except as, individually or 2020 in the aggregate, would not reasonably be expected to have a Material Adverse Effect on Amedisys, (A) Amedisys and its subsidiaries (1) have been in material compliance with all Privacy applicable Laws, as well as their own rules, policies and Security Requirements procedures and any binding industry standards applicable all contracts to which they are bound, in each case to the industry in which each extent relating to privacy, data protection and the collection, retention, protection, transfer, use and processing of Amedisys or any of its subsidiaries operates, Personal Data and (2B) have implemented and maintained a data security plan with commercially reasonable administrative, technical and physical safeguards to protect the IT Assets of Amedisys and its subsidiaries, and the Personal Data and other information and transactions stored or contained therein or transmitted thereby, against unauthorized access, use, loss and damage; (B) there have been no Actions related to any Security Breaches, other data security incidents, or violations of any Privacy and Security Requirements by Amedisys or any of its subsidiaries; and (C) none of Amedisys or any of its subsidiaries have sent (or been required to send) or received any written notices to or from any Person or Governmental Entity relating to violations or potential violations of any Privacy and Security Requirements. To the knowledge of Amedisys, since Since January 1, 20212020, (i) to the Knowledge of the Company, there has been no (x) unauthorized access, misuse of or damage to any IT Assets owned by or controlled byaccess to, or otherwise used in the conduct of the business of, Amedisys or any of its subsidiaries or (y) unauthorized access, use, misuse of, Processing or loss of, or damage to, any IT Assets or any Personal Data maintained by or on behalf of Amedisys the Company or any of its subsidiariesthe Company Subsidiaries, (ii) the Company and the Company Subsidiaries have not notified or been required to notify any Person of any security breach or other incident affecting the IT Assets or any information or data stored or contained therein, and (iii) there have not been and are no Actions, complaints, citations or fines pending, issued to or received by, or, to the Knowledge of the Company, threatened against the Company or any Company Subsidiary by any Person with respect to privacy or other incidents, or with respect to the Company’s handling, use or processing of Personal Data within the Company’s possession or control, that, in each casethe case of (i), except as(ii) and (iii), were or are, individually or in the aggregate, would not reasonably be expected material to have a Material Adverse Effect on Amedisysthe business of the Company.