UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 10-K

For the fiscal year ended March 31, 2023

or

Commission file number: 001-12537

NEXTGEN HEALTHCARE, INC.

(Exact name of registrant as specified in its charter)

Not Applicable(1)

(Registrant’s telephone number, including area code)

Securities registered pursuant to Section 12(b) of the Act:

Securities registered pursuant to Section 12(g) of the Act: None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☑ No ☐

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes ☐ No ☑

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes ☑ No ☐

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§ 232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit). Yes ☑ No ☐

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” and “smaller reporting company,” and "emerging growth company" in Rule 12b-2 of the Exchange Act.

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☑

If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements. ☐

Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). ☐

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act). Yes ☐ No ☑

The aggregate market value of the voting stock held by non-affiliates of the Registrant as of September 30, 2022: $975,390,000 (based on the closing sales price of the Registrant’s common stock as reported on the NASDAQ Global Select Market on that date of $17.70 per share)*

The Registrant has no non-voting common equity.

The number of outstanding shares of the Registrant’s common stock as of May 12, 2023 was 65,980,532 shares.

* For purposes of this Annual Report on Form 10-K, in addition to those shareholders which fall within the definition of “affiliates” under Rule 405 of the Securities Act of 1933, as amended, holders of ten percent or more of the Registrant’s common stock are deemed to be affiliates for purposes of this Report.

DOCUMENTS INCORPORATED BY REFERENCE

(1) NextGen Healthcare, Inc. is a remote-first company and no longer maintains its principal executive office. For purposes of compliance with applicable requirements of the Securities Act of 1933, as amended, and Securities Exchange Act of 1934, as amended, stockholder communications required to be sent to our principal executive offices should be directed to the email address set forth in our proxy materials and/or identified on our investor relations website.

NEXTGEN HEALTHCARE, INC.

TABLE OF CONTENTS

2023 ANNUAL REPORT ON FORM 10-K

Table of Contents

CAUTIONARY STATEMENT

This Annual Report on Form 10-K (this "Report"), including the documents and certain information incorporated herein by reference, contain forward-looking statements within the “safe harbor” provisions of the Private Securities Litigation Reform Act of 1995. All statements included or incorporated by reference in this Report, other than statements that are purely historical, are forward-looking statements. Words such as “anticipate,” “expect,” “intend,” “plan,” “believe,” “seek,” “estimate,” “will,” “should,” “would,” “could,” “may,” and similar expressions also identify forward-looking statements. These forward-looking statements include, without limitation, discussions of our trend analyses, product development plans, business and growth strategies, future operations, financial condition and prospects, developments in and the impacts of government regulation and legislation, and market factors influencing our results, all of which are based on current expectations, estimates, and forecasts, and the beliefs and assumptions of our management. Our expectations, beliefs, objectives, intentions and strategies regarding our future results are not guarantees of future performance and are subject to risks and uncertainties, both foreseen and unforeseen, that could cause actual results to differ materially from results contemplated in our forward-looking statements. These risks and uncertainties include, but are not limited to, our ability to continue to develop and sell new products and services in markets characterized by rapid technological evolution, consolidation, and competition from larger, better-capitalized competitors, our ability to finalize a settlement with the DOJ, cybersecurity and data protection risk and related liabilities, current or potential legal proceedings involving us, and the effect of developments in and the impacts of government regulation and legislation. Many other economic, competitive, governmental and technological factors could affect our ability to achieve our goals, and interested persons are urged to review the risk factors discussed in “Item 1A. Risk Factors” of this Report, as well as in our other public disclosures and filings with the Securities and Exchange Commission (“SEC”). Because of these risk factors, as well as other variables affecting our financial condition and results of operations, past financial performance may not be a reliable indicator of future performance and historical trends should not be used to anticipate results or trends in future periods. We assume no obligation to update any forward-looking statements. You are cautioned not to place undue reliance on forward-looking statements, which speak only as of the date of the filing of this Report.

3

Table of Contents

PART I

ITEM 1. BUSINESS

Company Overview

NextGen Healthcare is a leading provider of innovative, cloud-based, healthcare technology solutions that empower ambulatory healthcare providers to manage the risk and complexity of delivering care in the United States healthcare system. Our combination of technological breadth, depth, and domain expertise positions us as a preferred solution provider and trusted advisor for our clients. In addition to highly configurable core clinical and financial capabilities, our portfolio includes tightly integrated solutions that deliver on ambulatory healthcare imperatives, including consumerism, digitization, risk allocation, regulatory influence, and integrated care and health equity.

We serve clients across all 50 states. Over 100,000 providers use NextGen Healthcare solutions to deliver care in nearly every medical specialty in a wide variety of practice models including accountable care organizations (“ACOs”), independent physician associations (“IPAs”), managed service organizations (“MSOs”), veterans service organizations (“VSOs”), and dental service organizations (“DSOs”). Our clients range from some of the largest and most progressive multi-specialty groups in the country to sole practitioners with a wide variety of business models. With the addition of behavioral health to our medical and oral health capabilities, we continue to extend our share not only in federally qualified health centers (“FQHCs”) but also in the growing integrated care market.

Our company was incorporated in California in 1974. Previously named Quality Systems, Inc., we changed our corporate name to NextGen Healthcare, Inc. in September 2018, and in 2021, we changed our state of incorporation to Delaware. As a remote-first company, we no longer maintain a principal executive office. Our principal website is www.nextgen.com. We operate on a fiscal year ending on March 31.

Our Vision, Mission and Strategy

NextGen Healthcare’s vision is better healthcare outcomes for all. We strive to achieve this vision by delivering innovative solutions and insights aimed at creating healthier communities. We focus on improving care delivered in ambulatory settings but do so recognizing that the entire healthcare ecosystem needs to work in concert to achieve the quadruple aim: “to improved patient experience, improved provider experience, improve the health of a population, and reduce per capita health care costs.”

Our long-term strategy is to position NextGen Healthcare as both the essential, integrated, delivery platform and the most trusted advisor for the ambulatory practices of the future. To that end, we primarily serve organizations that provide or orchestrate care in ambulatory settings and do so across diverse practice sizes, specialties, care modalities, and business models. These customers include conventional practices as well as new market entrants.

We plan to invest in our current capabilities as well as build and/or acquire new capabilities. In October 2019, we acquired Topaz Information Systems, LLC for its behavioral health solutions. In December 2019, we acquired Medfusion, Inc. for its Patient Experience Platform capabilities (i.e., patient portal, self-scheduling, and patient pay) and OTTO Health, LLC for its virtual care solutions, notably telemedicine. In August 2022, we divested our commercial dental assets, further emphasizing the company’s focus on serving ambulatory care. In November 2022, we acquired TSI Healthcare, LLC ("TSI") for its purpose-built clinical content and differentiated service offerings, which expands the addressable market served by our Enterprise domain, including new specialties, such as rheumatology, pulmonology, and cardiology. The integration of these acquired technologies has made NextGen Healthcare’s solutions among the most comprehensive in the market. Further, we are also actively innovating our business models and exploring new high-growth market domains.

Market Opportunity, and Trends

The scale and scope of the healthcare industry continues to expand. Annual United States healthcare spend today represents nearly $4.1 trillion and ~20% of GDP. A significant portion of this spend is directed towards the treatment of chronic conditions and administrative solutions that service an increasingly complex system with diverse stakeholders. While there are several convergent market forces reshaping the healthcare industry landscape, we are focused on six trends we believe will materially impact the markets we participate in and our customer value proposition:

4

Table of Contents

NextGen Healthcare is well positioned to play a key role in guiding our clients through short-term and long-term changes that impact healthcare in the United States and is committed to helping them deliver better outcomes.

Our Value Proposition

NextGen Healthcare’s value proposition to our clients can be summarized by the four “I’s” as follows:

NextGen Healthcare delivers value to our clients in several ways. Our solutions enable our clients to address current needs while preparing for the needs of the future including expanding access to health services, enhancing the coordination and management of care, and optimizing patient outcomes while also ensuring the sustainability of their practices. Specifically, we offer a range of solutions to allow clinicians to practice anywhere and work in new and innovative collaboration models.

NextGen Healthcare provides integrated cloud-based solutions and services that align with our client’s strategic imperatives. Ultimately, this value is reflected in the overall insights and impact delivered to the client. The foundation for our integrated ambulatory care platform is a core of our industry-leading EHR and practice management (“PM”) systems that support clinical, financial and patient engagement activities.

We optimize the core with an automation and workflow layer that gives our clients control over how platform capabilities are implemented to drive their desired outcomes. The workflow layer includes mobile and voice-enabled capabilities proven to reduce physician burden. Recognizing that engaged patients are key to positive outcomes, our patient experience platform enables our clients to create personalized care experiences that enhance trust and drive patient loyalty. Further, we support the advances in integrated care that focus on the whole person with solutions supporting behavioral and oral health. Our cloud-based population health and analytics engine allows our clients to improve results in both fee-for-service and fee-for-value environments.

5

Table of Contents

In support of extensibility, we surround the core with open, web-based application programming interfaces (“APIs”) to drive the secure exchange of health and patient data with connected health solutions. Our commitment to interoperability, defragmenting care and our experience powering many of the nation’s HIE’s places us in a unique position to enable our clients to leverage this technology to lower the cost of care and improve the patient and provider experience by providing an integrated community patient record.

Finally, to ensure our clients get maximum value from our solutions, we have augmented our technology with key services aligned with their needs, helping to ensure they reach their organizational goals. We partner with our clients to optimize their information technology (“IT”) operations, enhance revenue cycle processes across fee-for-service and fee-for-value models, service line expansion and operations, as well as advise on long-term strategy.

Positioning NextGen Healthcare for Growth. As NextGen Healthcare applies this value proposition framework across the ambulatory care market, we incorporate some or all our current solution offerings within three broad domains illustrated in Figure 1 below:

Figure 1: NextGen Healthcare Solutions Domains

Additional commentary on our collection of solutions within the three broad domains are described in further detail below.

ENTERPRISE

Clinical Care Solutions improve the quality and efficiency of care delivery as well as the patient and provider experience. They significantly ease the administrative burden and enable the delivery of high quality, personalized care. Providers can automate patient intake, streamline clinical workflows, and leverage vendor-agnostic interoperability to achieve quality measures and qualify for incentives. An example of our clinical care solutions is:

NextGen® Enterprise EHR– Our electronic health records solution stores and maintains clinical patient information and offers a workflow module, prescription management, automatic document and letter generation, patient education, referral tracking, interfaces to billing and lab systems, physician alerts and reminders, and reporting and data analysis tools.

Financial Solutions provides key analytics that allow clients to drive healthy, predictable financial outcomes. More than just billing and collection services, financial management involves all functions that effectively capture revenue at the lowest cost, while providing an efficient experience for the patient. Financial management solutions help practices improve performance

6

Table of Contents

and correct operational inefficiencies, while enhancing the practice’s financial outcomes throughout the revenue cycle. An example of our financial management solutions is:

NextGen® Enterprise PM– Our practice management offering is a seamlessly integrated, scalable, multi-module solution that includes a master patient index, enterprise-wide appointment scheduling with referral tracking, and clinical support.

Patient Engagement Solutions boost loyalty and improve outcomes by engaging patients in their own care. Our patient engagement tools enable patients to better manage their own health through direct patient-provider messaging, online scheduling, automated reminders, easy payment options, and virtual visits. The ability of patients to handle their own scheduling and billing frees provider staff, restoring valuable time. An example of our patient engagement solutions is:

NextGen Virtual Visits™– Delivers a tightly integrated, bi-directional telehealth experience that allows patients to have a virtual visit with their own personal doctor and their own provider’s care team. The solution allows for screen-sharing, document passing, in-visit chat, one-touch access to interpretive services, and a "no-login" experience for patients.

OFFICE

Integrated Clinical Care and Financial Solutions provide a comprehensive set of software and services specifically targeted to improve the clinical and financial performance of small and independent practices across a broad set of clinical specialties. An example of our solution in this space is:

NextGen® Office– A cloud-based EHR and PM solution for physicians and medical billing services designed to meet the specific needs of smaller practices.

INSIGHTS

Interoperability Solutions (formerly Connected Health Solutions) enable different information technology systems to communicate and exchange usable data thereby allowing caregivers to more effectively work together within and across care teams and organizational boundaries, and equipping patients to collaborate on their own care. Our integration and interoperability offerings enable providers to leverage their current technology for better outcomes and truly connected patient care. Examples of our interoperability solutions are:

NextGen® Share – A broad and expanding suite of plug-and-play interoperability solutions which help NextGen® Enterprise EHR users safely and securely exchange clinical content with external providers and organizations. The platform includes support for secure direct messaging with more than 2.8 million providers and organizations, and care quality integration to enable automated data exchange of over 250 million records to date.

Mirth® Connect – Enables patient data from disparate systems to be easily and securely shared, aggregated, and put to work, regardless of EHR, PM, or other healthcare IT platform or location. This offering optimizes interoperability capabilities with advanced administration tools that help drive affordable and effective health data exchange and supports client’s ability to control resources and elevate performance.

Data and Analytics Solutions help NextGen Healthcare’s customers to unlock the value of their information assets and deliver actionable insight and decision support at the point of care. We do this by aggregating and normalizing data assets across multiple sources of truth, enriching those data sets as needed with proprietary and 3rd party information assets and applying sophisticated analytics to develop a broad set of clinical, operational, financial, and experiential insights. An example of our data and analytics solutions is:

NextGen® Health Data Hub (“HDH”) – A fully redesigned data aggregation platform to meet the expanding market demand for robust data sharing, aggregation, and community access. HDH was built from the ground-up to provide comprehensive, continuous access to aggregated patient health data on a robust, reliable, platform that will enable system-wide connectivity, and support the growing enterprise data management needs for HIEs, hospitals and large ambulatory practices.

Value Based Care Solutions (formerly Population Health Solutions) provide our customers the ability to enhance care quality and optimize the total cost of delivering care to patient populations across risk strata. As the incidence of chronic conditions rises across patient populations, providers are increasingly seeking turnkey chronic condition management, remote patient monitoring and care program adherence solutions that can improve clinical outcomes. Our solutions also give practices the ability to share risk with payors under alternative payment models and sustainably navigate the transition from fee-for-service to fee-for-value. An example of our value based care solutions is:

NextGen® Population Health Solutions – Delivers robust capabilities for core population health insights using integrated clinical and claims data to support both broad and deep analysis for populations of interest (attribute visualization, risk stratification, gaps in care, etc.).

SERVICES

Applicable across all three domains, NextGen Healthcare provides additional value to clients in the form of services that help clients achieve their strategic objectives. Through these services, we enable clients to effectively address core operational and financial needs so they can focus on their primary mission of providing efficient and high-quality patient care. Our three categories of services include:

7

Table of Contents

Managed Services include our scalable, cloud hosting services that reduce the burden of information technology expertise from our clients and speed implementations, simplify upgrades, cut technology costs significantly and provide 24/7 monitoring and support by a broad team of technical experts. In addition, we offer Revenue Cycle Management (“RCM”) Services that includes billing and collections, electronic claims submission and denials management, electronic remittance and payment posting and accounts receivable follow-up. Our dedicated account management model helps make NextGen Healthcare a top-performing provider of RCMS as reported in the 2020 KLAS Ambulatory RCM Services Report.

Professional Services include training, project management, installation services, and application managed services. Our consulting services, which include physician, professional, and technical consulting, assisting clients to optimize their staffing and software solutions, enhance financial and clinical outcomes, achieve regulatory requirements in the drive to value-based care, and meet the evolving requirements of healthcare reform.

Client Service and Support in which our technical services staff provides support for the dependable and timely resolution of technical inquiries from clients. Such inquiries are made via telephone, email and the internet. We offer several levels of support, with the most comprehensive service covering 24 hours a day, seven days a week.

Competition

The markets for healthcare information systems and services are intensely competitive and highly fragmented. Our traditional full-suite competitors in the healthcare information systems and services market include: athenahealth, Inc., Oracle Corporation, eClinicalWorks, Epic Systems Corporation, Greenway Health, LLC, Veradigm Inc., and Modernizing Medicine, Inc. Emerging smaller competitors also bring competition in specific sectors of the market. Additionally, we face competition from technology vendors who offer verticalized data management and analytics solutions and services-only competitors like business process outsourcers, hosting providers and transcription companies.

The EHR, PM, interoperability, and connectivity markets are subject to rapid changes in technology. We expect that competition in these market segments could increase as new competitors enter the market. We believe our principal competitive advantages are our ambulatory-only focus, the essential nature of the EHR and PM clinical platforms to care delivery, our comprehensive and fully-integrated solution, and our deep domain expertise, which enables our subject matter experts to serve as trusted advisors to our clients.

Regulatory Environment

As a participant in the healthcare industry, our business, and that of our clients, is subject to a wide array of complex and rapidly changing federal and state laws, regulations, and industry initiatives, in the areas of information sharing, electronic health record and interoperability standards, e-prescribing, claims processing and transmission, security and privacy of patient data, and healthcare fraud. The impact of such laws and regulations on us is direct, to the extent we are subject to these laws and regulations, and is also indirect, in terms of government program requirements applicable to our clients for the use of our solutions or that impact payment models. The complexity and rapidly changing nature of these laws and regulations have created both challenges as well as significant opportunities for our business. New laws and regulations have targeted the adoption of EHRs, health data exchange and interoperability, value-based payment, care coordination, utilization of telehealth services, migration of inpatient to outpatient care, and expansion of behavioral health services. Many of these changes have spanned multiple Congresses and Presidential Administrations and taken years to fully implement (e.g., The Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) and Cures Act):

8

Table of Contents

Through annual payment policy rules from the CMS and other targeted rulemakings from the United States Department of Health and Human Services (“HHS”), the federal government continues to implement and/or update different aspects of these laws every year, for example:

In addition, reform of payment policies for Medicare and Medicaid continues to evolve. For example:

Refer also to the discussion of regulatory risks within “Item 1A. Risk Factors” for governmental regulations and policies that may affect our business.

COVID-19

In January 2020, HHS officially declared that a public health emergency (“PHE”) existed as a result of the pandemic. Soon after, HHS issued a series of rules and orders to offer healthcare providers flexibility or waivers from certain regulatory requirements during the PHE that are still in effect today. For example, changes were made through waivers and other regulatory authority to increase access to telehealth services by, among other things, increasing reimbursement, permitting the enrollment of out of state providers and eliminating prior authorization requirements. It is uncertain how long these COVID-19 related regulatory changes will remain in effect and whether they will continue beyond the PHE period. These laws include the $2.2 trillion Coronavirus Aid, Relief, and Economic Security Act ("CARES Act”) and the $1.9 trillion American Rescue Plan Act, both of which included record federal investments in FQHCs and behavioral health service providers.

Additional regulations that directly and/or indirectly impact our business include:

Privacy and Security Laws. There are numerous United States federal and state laws and regulations as well as foreign legislation which govern the confidentiality of personal information, how that information may be used, and the circumstances under which such information may be released. These regulations govern both the disclosure and use of confidential personal and patient medical record information and require the users of such information to implement specified security and privacy measures.

Fraud and Abuse Laws. The healthcare industry is subject to laws and regulations on fraud and abuse that, among other things, prohibit the direct or indirect payment or receipt of any remuneration for patient referrals, or for the purchase or order, or arranging for or recommending referrals or purchases, of any item or service paid for in whole or in part by these federal or state healthcare programs. Federal enforcement personnel have substantial funding, powers and remedies to pursue suspected or perceived fraud and abuse. Moreover, both federal and state laws forbid bribery and similar behavior.

9

Table of Contents

Healthcare fraud and abuse laws and regulations can vary significantly from jurisdiction to jurisdiction, and the state and federal interpretation of existing laws and regulations, and their enforcement, may change from time to time. We may also be subject to future legislation and regulations concerning the development and marketing of healthcare software systems or requirements related to product functionality.

Research and Development

The healthcare information systems and services industry is characterized by rapid technological change, requiring us to engage in continuing investments in our research and development to update, enhance and improve our systems. These efforts include developing new solutions as well as new features and enhancements to our existing solutions, which we believe will create additional opportunities to connect our systems to the healthcare community.

Sales and Marketing

We sell and market our products primarily through a direct sales force and to a significantly lesser extent, through a reseller channel. NextGen Healthcare also provides solutions to networks of practices such as MSOs, IPAs, ACOs, ambulatory care centers (“ACCs”), and community health centers (“CHCs”). Our direct sales force is comprised of sales executives and account executives, who seek to understand the client strategy and build a multistage roadmap to reach the desired end state. For large clients, we use both inside and outside sales where efforts are a mix of on-site and virtual based. For smaller clients, efforts are all inside sales via web and phone, all of whom deliver presentations to potential clients by demonstrating our systems and capabilities either on prospective client’s premises or through video meeting and web-based presentations. Our sales and marketing employees identify prospective clients through a variety of means, including a healthcare data and analytics platform, search engine optimization and value exchange content on nextgen.com; digital advertising; direct mail and email campaigns; referrals from existing clients and industry consultants; contacts at professional society meetings and trade shows (online and in person); webinars; public relations and social media campaigns; and telemarketing. Our sales cycle can vary significantly and typically ranges from six to 18 months from initial contact to contract execution. Smaller practices on NextGen Office tend to have significantly shorter sales cycles ranging in weeks. Moving forward, we expect more of our transactions to move to subscriptions. Clients have the option to purchase hosting and maintenance services, which are invoiced on a monthly, quarterly or annual basis. Subscriptions are delivered electronically after the agreement is signed. They generally include implementation and are typically billed monthly after implementation or based on volume or throughput. We continue to concentrate our direct sales and marketing efforts on the ambulatory market from large multi-specialty organizations to small-single specialty practices in high-opportunity specialty segments.

We have numerous clients and do not believe that the loss of any single client would adversely affect us. No client accounted for 10% or more of our net revenue during each of the years ended March 31, 2023, 2022 and 2021. In addition, software license sales to resellers represented less than 10% of total revenue for each of the years ended March 31, 2023, 2022 and 2021. Substantially the majority of our clients are located in the United States.

Proprietary Rights

We rely on a combination of patents, copyrights, trademarks, service marks, trade secrets, and contractual restrictions to establish and protect proprietary rights in our products and services. To protect our proprietary rights, we enter into confidentiality agreements and invention assignment agreements with our employees with whom such controls are relevant. In addition, we include intellectual property protective provisions in our client and other third-party contracts and control access to software, documentation and other proprietary information. However, because the software industry is characterized by rapid technological change, we believe such factors as the technological and creative skills of our personnel, new product developments, frequent product enhancements, name recognition, and reliable product maintenance are more important to establishing and maintaining a technology leadership position than the various legal protections of our technology.

We rely on intellectual property obtained from third parties for certain components of our products and services. These components enhance our products and services and help meet evolving client needs. The failure to license any necessary technology, or to maintain our existing licenses, could result in reduced functionality of or reduced demand for our products.

Although we believe our products and services, and other proprietary rights, do not infringe upon the proprietary rights of third parties, third parties may assert intellectual property infringement claims against us in the future. Any such claims may result in costly, time-consuming litigation and may require us to enter into royalty or cross-license arrangements.

Privacy and Security

Our business operations involve hosting, storing, processing, and transmitting confidential information, including personally identifiable information, protected health information (“PHI”) and payment card information. We have implemented physical, technical, and administrative safeguards designed to help protect our systems in the event of a system interruption, security

10

Table of Contents

incident, or breach of information. Additionally, our comprehensive Information Security Management Program (“ISMP”) is designed to help safeguard the confidentiality, integrity and availability of our clients’ data through use of testing for assurances and outlining processes for appropriate response and reporting of security incidents.

Physical Safeguards

We utilize the industry’s most well-respected certifications starting with Health Information Trust Alliance (“HITRUST”) Common Security Framework (“CSF”), which provides a process to standardize requirements of Health Insurance Portability and Accountability Act (“HIPAA”) and coordinate it with other national and international data security frameworks and many state laws.

We maintain Payment Card Industry Data Security Standard (“PCI-DSS”) Level 1 Service Provider, which allows us to minimize our clients’ PCI scope. In addition, we are a DirectTrust Health Information Service Provider (“HISP”), helping to maintain compliance with Security Organization Control 2, or SOC 2 Type II, across the domains of privacy, security, confidentiality, and availability.

These certifications and pertinent audits help with our client’s third-party assurance programs to ensure we are meeting or exceeding HIPAA and other regulatory requirements.

Technical Safeguards

We operate both single-tenant environments and unified multi-tenant platforms that offer reliability, scalability, performance, security and privacy for our clients and the customers and patients they serve. To create geographical redundancy, our infrastructure resides in several geographically diverse regions across the United States.

Additionally, we have systems in place to monitor the security and confidentiality of PHI, and procedures designed to promptly initiate investigations and mitigation efforts upon notification or identification of a security incident.

Administrative Safeguards

We have a comprehensive training and awareness program which includes on-going awareness simulations, required training, supplemental training, and cross-functional incident response testing. All employees are required to complete each cybersecurity training, HIPAA training, and PCI DSS training annually. These training modules are reviewed annually to ensure compliance with the latest regulatory guidelines, laws, and industry best practices, and include information on how our employees’ can ensure they are meeting our security requirements while working in a remote environment.

All policies and procedures are made available to all employees through our organization’s intranet, and acknowledgment of these is required at time of hire. Our Privacy Policy, which outlines how we collect and utilize personal data, is made available on our public facing website.

We recognize that these safeguards may not always prevent future cybersecurity incidents or breaches, especially in the current landscape of increasing cybersecurity risks from, among other areas, the prevalence of remote work, the ability of cyber-criminals to monetize cybersecurity incidents (ransomware, dark web, etc.), growth in digital payments, and cloud computing technology. We also recognize that regulatory scrutiny of privacy, data collection, use and sharing of data is increasing on a global basis, and we are uncertain how current and future data privacy laws may impact our business practices and privacy policies.

Managing Cybersecurity Risks

We conduct regular risk assessments, which are one component of our internal control environment that brings together key stakeholders to identify and evaluate threats and critical risks (both internal and external) that may impact our overall mission and objectives of the organization. The risk assessment process assigns certain risks identified through process to key stakeholders to monitor, manage and implement appropriate measures.

To mitigate the increasing risk of cybersecurity incidents, we review and evaluate our cybersecurity insurance coverage on an annual basis. Our evaluation is based on industry standard, and specific needs of the organization which are identified through business and privacy impact assessments.

We use a third-party vendor to conduct, perform and validate a bona fide annual risk assessment required by the HIPAA Security Rule. The third‐party vendor conducts interviews with key stakeholders and performs penetration testing, evidence collection and on‐site analysis. Formal rating systems determine what, if any, remediation strategies are warranted, and are then incorporated into a remediation plan. The vendor provides a report that is reviewed and approved by the Chief Information Security Office (“CISO”) and reported to appropriate members of executive management and Board of Directors.

The information systems team conducts weekly meetings to review and identify risks through the change management process. Meetings are held to ensure that projects, risks, compliance, federal regulations, and personnel are in line with the organizational goals regarding security and compliance. Continuity and resiliency planning are based on National Institute of Standards and Technology (“NIST”) cybersecurity best practices and are tested no less than annually.

A comprehensive assurance program is maintained with oversight by our CISO, which is included with the organization procurement gating process. Administrative and technical assessments are conducted prior to contract signing with any

11

Table of Contents

third-party. Our control consciousness is influenced significantly by our Board of Directors and Audit Committee. While the management of our business is delegated to the management team, the Board of Directors oversees management’s execution of the organization’s business activities.

Human Capital

Workforce Statistics

As of March 31, 2023, NextGen Healthcare had approximately 2,783 full-time employees, approximately 721 of whom were based in Bangalore, India with the remainder located in the United States. None of our employees are covered by a collective bargaining agreement or are represented by a labor union.

Talent Recruitment

We recognize and value our employees as unique contributors through their entire journey at NextGen Healthcare. As such, we have a thoughtful and tailored approach to attracting, developing and retaining talent. We seek highly qualified applicants from a variety of sources with an increased focus on recruiting diverse talent. To ensure transparency and with a desire to mitigate bias, we conduct panel and round robin interviews for hiring and promotion. Discover NextGen, our adventure-based onboarding experience, provides a deep and broad picture of the organization with recognition that employees’ first few weeks on the job potentially cement their commitment to the company and culture.

Talent Retention and Development

We provide a career framework for our employees enabling their career development either within a single career track or through the ability to traverse multiple career ladders as they refine or optimize their development. Our Talent Community connects interested employees with internal functional subject matter experts to share job information including knowledge and skills required for advancement. We are committed to developing our employees through a culture of learning. We maintain an organizational development group focused on all aspects of employee development, including management and leadership through our LEAD framework and skill building. We also sponsor 24/7 on-demand training for employee certifications and relevant career-based skillsets and provide education reimbursement for continued education.

Diversity

We recognize our responsibility and strategic opportunity to champion varied viewpoints, culture and expertise. Our Diversity, Equity, Inclusion & Belonging (“DEIB”) strategy includes goals around recruiting, retaining and developing diverse employees and leaders in the Company. Our Employee Resource Groups (“ERGs”) focus their efforts on career, culture, market and community. These ERGs include: AAPI (Asian American Pacific Islander), ABLED (Awareness Benefiting Leadership & Employees About Disabilities), beiNG (Black Equity and Inclusion at NextGen), NextGen United, Generational and Allies, LatinX. LGBTQ+, Military/Veterans and Allies, Remote Engagement, Working Parents, and Women-In-Tech. Our ERGs communicate directly with senior leadership through Listening Sessions with our Chief Executive Officer and other C-level executives. Our BELONG (Bringing Employees to Leadership Opportunities at NextGen) sponsorship program pairs a senior member of our organization (the sponsor) with a more junior member (the protégé) with the goal of career clarity and potential advancement. We also provide and promote employee training on harassment prevention, cultivating a respectful workplace and elimination of unconscious bias. Beyond the fundamental conversation about DEIB, we regularly engage with outside experts on training and facilitated conversations about topics including cultural competency and humility and career progression through a non-dominant culture lens. To measure the impact of the above activities, we survey our employees annually through a specific DEIB survey. We regularly engage with our Board of Directors on strategies, participation, and impact of these initiatives.

Employee Compensation

In recognition of the competitive talent landscape, we align our Total Rewards with the hiring landscape. Our comprehensive approach to compensation includes performance-based merit and bonus rewards. Additionally, long term incentives, 401(k) plan and match, and the Employee Stock Purchase Plan round out our reward strategy. To ensure we support pay equity, we conduct compensation analyses semi-annually in alignment with pay equity training for managers.

Culture and Engagement

NextGen Healthcare understands the vital importance of engaged employees to create a high potential community. We closely track our engagement and culture scores through an annual VOTE (Voice of The Employee) survey and on a monthly basis through our Employee Experience Monitor. We provide our team members with safe and confidential channels to voice concerns and receive a response and ensure they have access to members of our executive leadership team. Employees receive training on ethics and our code of conduct, including how to make reports on our ethics hotline. Our regularly scheduled Town Halls with all employees have become a vital part of our culture of community building. Our Board of Directors receive regular updates on employee engagement and satisfaction issues.

We believe that supporting community and volunteer service among our employees builds a strong culture and caring leaders. Each year, we sponsor NextGen Days of Caring during which our employees can volunteer for external charitable organizations. Our NextGen Cares program also allows employees to donate vacation time to help colleagues who have

12

Table of Contents

experienced natural disaster or tragedy. We also encourage our employees to participate in volunteer activities by providing the benefit of paid time off to volunteer through our Volunteer Time Off program.

Our Bangalore development center in India, under the leadership of its Corporate Social Responsibility Committee, conducts community relations activities every quarter to advance and support women’s empowerment, improve health, support education and help fight poverty.

Health & Safety

Our health and welfare plans reflect our desire to support our employees in a holistic way. Our healthcare plans are the cornerstone of the program, supplemented with additional insurance, mental health services for all employees, an Employee Assistance Program, and time off plans including vacation, sick leave and parental leave. We also support our employees’ well-being through an integrated online platform that offers a variety of ‘campuses’ such as Family Care, Financial, New Hire, Wellness and Life Events. The campuses provide resources and access to certain programs/benefits relating to childcare, children of aging parents, gym membership, health coaching and more.

Transition to Remote Workforce

As the severity of the COVID-19 pandemic waned and in response to the overwhelming preference of our employees, we implemented remote work as our standard. Our Human Resources, Organizational Development and Information Security teams keep our employees engaged with resources to work remotely, remain productive and avoid burnout. Our business continuity health and safety team continue to share information and guidance on all pandemic updates through our internal health and safety communication channel.

Available Information

Our principal website is www.nextgen.com. We make our periodic and current reports, together with amendments to these reports, filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended, available on our website, free of charge, as soon as reasonably practicable after such material is electronically filed with, or furnished to, the SEC. You may access such filings through our Investor Relations website at http://investor.nextgen.com. The SEC maintains an internet site at www.sec.gov that contains the reports, proxy statements and other information that we file electronically with the SEC. Our website and the information contained therein or connected thereto is not intended to be incorporated into this Report or any other report or information we file with the SEC. We also use the following social media channels as a means of disclosing information about the company, our platform, our planned financial and other announcements and attendance at upcoming investor and industry conferences:

We encourage our investors and others to review the information we make public in these locations as such information could be deemed to be material information. Please note that this list may be updated from time to time.

13

Table of Contents

ITEM 1A. RISK FACTORS

You should carefully consider the risks described below, as well as the other cautionary statements and risks described elsewhere, and the other information contained in this Report and in our other filings with the SEC, including subsequent Quarterly Reports on Form 10-Q and Current Reports on Form 8-K. We operate in a rapidly changing environment that involves a number of risks. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties not presently known to us or that we currently deem immaterial may also affect our business operations. If any of these known or unknown risks actually occur, our business, financial condition or results of operations could be materially and adversely affected, in which case the trading price of our common stock may decline, and you may lose all or part of your investment. The following information should be read in conjunction with Part II, Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and the consolidated financial statements and related notes in Part II, Item 8, “Financial Statements and Supplementary Data” of this Form 10-K.

Risks Related to our Business

We face significant, evolving competition which, if we fail to properly address, could adversely affect our business, results of operations, financial condition, and price of our stock. The markets for healthcare information systems are intensely competitive and rapidly evolving. We face significant competition from a number of different sources. Several of our competitors have substantially greater name recognition and financial, technical, product development and marketing resources than we do. Some of our competitors, have, and may continue to become more active in our markets both through internal development and acquisitions. Moreover, we expect that competition will continue to increase as a result of consolidation in both the IT and healthcare industries. Transaction induced and other competitive pressures and factors may result in price erosion and make the adoption and renewal of our solutions more difficult. Further, as we continue to enhance and develop new solutions and services, including in the areas of interoperability, data and analytics, and value-based care, we expect to face new competitors, and these new competitors may have more experience in these markets. There can be no assurance that we will be able to compete successfully against current and future competitors or that the competitive pressures that we face will not materially and adversely impact our business, financial condition, and operating results.

We may not be able to develop and market new products to and services respond to technological changes or evolving industry standards and our clients may not accept our products or services. The markets in which we operate are characterized by rapid technological and regulatory change, evolving industry standards and increasingly sophisticated client needs. In order to compete successfully, we must keep pace with our competitors in anticipating and responding to these rapid changes. Our future success will depend, in part, upon our ability to enhance existing solutions and develop and introduce in a timely manner or acquire new solutions that keep pace with technological and regulatory developments and industry requirements, satisfy increasingly sophisticated client requirements and achieve market acceptance. If we are unable, for technological or other reasons, to develop or acquire on a timely and cost-effective basis new software solutions or enhancements to existing solutions or if such new solutions or enhancements do not achieve market acceptance, or if new technologies emerge that are able to deliver competitive offerings at lower prices, more efficiently, more conveniently, or more securely than our offerings, our business, financial condition, and results of operations can be adversely affected.

Saturation or consolidation in the healthcare industry could result in the loss of existing clients, a reduction in our potential client base and downward pressure on the prices for our products and services. As the healthcare information systems market continues to evolve, saturation of this market with our products or our competitors' products could limit our revenues and opportunities for growth. There has also been increasing consolidation amongst healthcare industry participants in recent years, creating integrated healthcare delivery systems with greater market power. As provider networks and managed care organizations consolidate, the number of market participants decreases and competition to provide products and services like ours become more intense. The importance of establishing and maintaining relationships with key industry participants becomes greater and our inability to make initial sales of our systems to, or maintain relationships with, newly formed groups and/or healthcare providers that are replacing or substantially modifying their healthcare information systems could adversely affect our business, results of operation and financial condition. Consolidation in our industry can result in fewer new footprint opportunities or lead to the replacement of our products and services in existing clients, cause downward pricing pressures and have an adverse impact on our business, results of operations and financial condition.

We depend on strategic relationships and our business could be materially impacted if we fail to manage these relationships properly. We face risk and/or possibility of claims from activities related to strategic partners. We depend on strategic relationships and third-party suppliers and our revenue and operating earnings could suffer if we fail to manage these relationships properly. To be successful, we must continue to maintain our existing strategic relationships and establish additional strategic relationships as necessary with leaders in the markets in which we operate. If we lose any of these third-party relationships or fail to establish additional relationships, or if our relationships fail to benefit us as expected, this could materially and adversely impact our business, financial condition, and operating results. We rely on third parties to provide certain services for our business. For example, we use national clearinghouses in the processing of some insurance claims, and we outsource the printing and delivery of patient statements for our clients. These third parties could raise their prices or be acquired by our competitors or decide to compete with us in some or all of the markets in which we operate, which could potentially create short or long-term disruption to our business, negatively impacting our revenue, profit and/or stock price. We also have relationships with certain third parties where these third parties serve as sales channels through which we generate a portion of our revenue. In addition, we could be subject to claims as a result of the activities, products, or services of these third-party service providers even though we were not directly involved in the circumstances leading to those claims.

14

Table of Contents

We have acquired companies, and may engage in future acquisitions, which may be expensive, time consuming, subject to inherent risks and from which we may not realize anticipated benefits. Historically, we have acquired numerous businesses, technologies, and products. We may acquire additional businesses, technologies, and products if we determine that these additional businesses, technologies and products are likely to serve our strategic goals. Acquisitions have inherent risks, which, if materialized, may have a material adverse effect on our business, financial condition, operating results or prospects, including, but not limited to the following: (i) failure to achieve projected synergies and performance targets; (ii) potentially dilutive issuances of our securities, the incurrence of debt and contingent liabilities and amortization expenses related to intangible assets with indefinite useful lives; (iii) using cash as acquisition currency may adversely affect interest or investment income, which may in turn adversely affect our earnings and /or earnings per share; (iv) unanticipated expenses or difficulty in fully or effectively integrating or retaining the acquired technologies, software products, services, business practices, management teams or personnel, which would prevent us from realizing the intended benefits of the acquisition; (v) failure to maintain uniform standard controls, policies and procedures across acquired businesses; (vi) difficulty in predicting and responding to issues related to product transition such as development, distribution and client support; (vii) the assumption of known and unknown liabilities; (viii) the possibility that the due diligence process in any such acquisition may not completely identify material issues associated with product quality, product architecture, product development, intellectual property issues, regulatory risks, compliance risks, key personnel issues or legal and financial contingencies, including any deficiencies in internal controls and procedures and the costs associated with remedying such deficiencies; and (ix) the possibility that acquired assets become impaired, or that acquired assets lead us to determine that existing assets become impaired, requiring us to take a charge to earnings which could be significant; and (x) the possibility of disputes over post-closing purchase price adjustments such as performance-based earnouts. A failure to successfully integrate acquired businesses or technology could, for any of these reasons, have an adverse effect on our financial condition and results of operations.

If we are unable to manage our growth, including in the new markets we may enter, our business and financial results could suffer. We have in the past experienced periods of growth which have placed, and may continue to place, a significant strain on our non-cash resources. In addition, our future financial results will depend in part on our ability to profitably manage our business in new markets that we may enter. We are engaging in the strategic identification of, and competition for, growth and expansion opportunities in new markets or offerings, including in the areas of interoperability, patient engagements, data analytics and population health. In order to successfully execute on our growth initiatives, we will need to, among other things, manage changing business conditions, anticipate, and react to changes in the regulatory environment, and develop expertise in areas outside of our business's traditional core competencies. As we expand into new countries and markets, we will need to successfully address the risks inherent in the expansion of international operations, such as differing legal and regulatory requirements that may apply to our products and/or how we operate, including those that pertain to privacy and data protection, trade and employment restrictions and intellectual protections, among other risks, which could involve significant costs or require changes in products or business practices. Failure to successfully address these risks and other difficulties in managing future growth, including in new markets, could have a significant negative impact on our business, financial condition, and results of operations.

We may experience reduced revenues and/or be forced to reduce our prices in response to changes to the healthcare regulatory landscape. We may be subject to pricing pressures with respect to our future sales arising from various sources, including among other things, government action affecting reimbursement levels. Our clients and the other entities with which we have business relationships are affected by changes in statutes, regulations, and limitations on government spending for Medicare, Medicaid, and other programs. Recent and future government actions and legislation could limit government spending for Medicare and Medicaid programs, limit payments to healthcare providers, increase emphasis on competition, impose price controls, initiate new and expanded value-based reimbursement programs and create other programs that potentially could have an adverse effect on our clients and the other entities with which we have a business relationship. If we experience significant downward pricing pressure, our revenues may decline along with our ability to absorb overhead costs, which may leave our business less profitable.

Our operations are dependent upon attracting and retaining key personnel. If such personnel were to leave unexpectedly, we may not be able to execute our business plan. Our future performance depends in significant part upon the continued service of our key development, client service and senior management personnel and successful recruitment of new talent. These personnel have specialized knowledge and skills with respect to our business and our industry. The industry in which we operate is characterized by a high level of employee mobility and aggressive recruiting of skilled personnel. There can be no assurance that our current employees will continue to work for us. Loss of services of key employees could have an adverse effect on our business, results of operations and financial condition. Furthermore, we may need to grant additional equity incentives to key employees and provide other forms of incentive compensation to attract and retain such key personnel. Equity incentives may be dilutive to our per share financial performance. Failure to provide such types of incentive compensation could jeopardize our recruitment and retention capabilities.

We have substantial development and other operations in India, and we use offshore third-party partners located in India and other countries, that subject us to regulatory, economic, social and political uncertainties and to laws applicable to U.S. companies operating overseas and other risks of global operations. We are subject to several risks associated with having a portion of our assets and operations located in India and by using third party service providers in India and other countries. Many U.S. companies have benefited from many policies of the Government of India and the Indian state governments in the states in which we operate, which are designed to promote foreign investment generally and the

15

Table of Contents

business process services industry in particular, including significant tax incentives, relaxation of regulatory restrictions, liberalized import and export duties and preferential rules on foreign investment and repatriation. There is no assurance that such policies will continue. Various factors, such as changes in the current Government of India, could trigger significant changes in India’s economic liberalization and deregulation policies and disrupt business and economic conditions in India generally and our business in particular. In addition, our financial performance and the market price of our common stock may be adversely affected by general economic conditions and economic and fiscal policy in India, including changes in exchange rates and controls, interest rates and taxation policies, as well as social stability and political, economic or diplomatic developments affecting India in the future. Our ability to recruit, train and retain qualified employees, develop and operate our captive facility could be adversely affected if India does not successfully overcome challenges associated with sustaining its economic growth. In addition, U.S. governing authorities may pressure us to perform work domestically rather than using offshore resources. Furthermore, local laws and customs in India may differ from those in the U.S. For example, it may be a local custom for businesses to engage in practices that are prohibited by our internal policies and procedures or U.S. laws and regulations applicable to us, such as the Foreign Corrupt Practices Act (“FCPA”). The FCPA generally prohibits U.S. companies from giving or offering money, gifts, or anything of value to a foreign official to obtain or retain business and requires businesses to make and keep accurate books and records and a system of internal accounting controls. We cannot guarantee that our employees, contractors, and agents will comply with all of our FCPA compliance policies and procedures. If we or our employees, contractors, or agents fail to comply with the requirements of the FCPA or similar legislation, government authorities in the U.S. and elsewhere could seek to impose civil or criminal fines and penalties which could have a material adverse effect on our business, operating results, and financial condition.

If we fail to finalize a settlement with the DOJ or fail to comply with the terms of any such final settlement of the DOJ’s investigations into certain of the Company’s business practices, our business, results of operations and financial condition will be materially and adversely affected. In addition, even if we finalize the settlement, we may face additional investigations or lawsuits. Commencing in April 2017, we have received requests for documents and information from the United States Attorney's Office for the District of Vermont and other government agencies in connection with an investigation concerning the certification we obtained for our software under the United States Department of Health and Human Services' Electronic Health Record (EHR) Incentive Program. The requests for information relate to, among other things: (a) data used to determine objectives and measures under the Meaningful Use (MU) and the Physician Quality Reporting System (PQRS) programs, (b) our EHR product and its performance, including defects that relate to patient safety or meaningful use certifications, (c) the software code used in certifying our EHR software and information, and (d) marketing programs and payments provided for the referral of EHR business. In late 2022, the United States Attorney’s Office informed NextGen of the existence of a sealed qui tam lawsuit concerning the issues NextGen has been discussing with their Office. While we have not yet reached a final, binding settlement agreement with the DOJ, we have reached an agreement in principle and have recorded legal settlement expense to reflect the anticipated payment to the DOJ if the settlement currently being negotiated is consummated. We also recorded an estimated amount of expense associated with attorneys’ fees that upon a final settlement would be paid to the private law firm that brought the original qui tam lawsuit. See Note 17, “Contingencies,” to our consolidated financial statements included in Part II, Item 8, “Financial Statements and Supplementary Data” of this Form 10-K for additional information. We expect that a final settlement with the DOJ, if it were to be completed, may include other material non-financial terms and conditions, including a civil settlement agreement. A variety of material issues remain subject to further negotiation and approval by us and the government before any binding resolution can be finalized, and additional accruals and expenses may be necessary following further negotiation. We cannot provide assurances that our efforts to reach a final settlement with the DOJ will be successful or, if they are, the timing or final terms of any such settlement. In addition, compliance with the terms of any such final settlement documents could impose significant costs and burdens on us. If we fail to comply with any such final settlement documents, the DOJ may impose substantial monetary penalties, exclude us from Medicare, Medicaid, and other federal healthcare programs, and/or bring administrative, civil or criminal charges against us, which could have a material adverse effect on our business, financial condition and results of operations. If a final agreement cannot be reached, the existing qui tam lawsuit will proceed to litigation and the DOJ may bring additional claims or other enforcement actions against us. These proceedings could lead to material fines, penalties, damages, and liabilities which could be substantial, as well as other material sanctions, and we would expect to incur significant costs in connection with such enforcement action and proceedings, regardless of the outcome. If any or all of these events occur, our business, financial condition and results of operations could be materially and adversely affected. Even if we were to reach a final settlement with the DOJ, such settlement or the conduct involved in the settlement may cause other governmental agencies to initiate investigations or proceedings, or may cause private parties such as shareholders, to threaten or initiate litigation, any of which could result in substantial and material fines, penalties, damages, expenses and/or liabilities, divert management’s attention from other business concerns and have a material adverse effect on our business, results of operations and financial condition. We may also be subject to negative publicity related to these matters that could harm our reputation, reduce demand for our solutions and services, result in employee attrition and negatively impact our stock price.

Risks Related to Our Operations, Products and Services

Our business is subject to data security risks and cyber-attacks, and if we are unable to safeguard the security and privacy of our client’s data, our services may be perceived as not being secure, clients may curtail or stop using our services, we may incur significant liabilities, and our reputation and business may be harmed. Our services involve the collection, storage, transmission and processing of clients’ proprietary and confidential information, including the personally identifiable and protected health information of our clients’ patients, as well as the personal and confidential information of our

16

Table of Contents

employees and others. Because of the sensitivity of this information, security features of our network, software, and systems are very important. Threat actors regularly attempt to gain access to our information and systems through various techniques. These threats include cyber attacks, the use of harmful malware or ransomware, security breaches, acts of vandalism or theft, (including by employees), computer viruses, misplaced or lost data, programming and/or human errors, power outages, protected health information leakage from implementing third-party technology to process and share data, hardware failures or other similar events. Furthermore our increased use of mobile and cloud technologies, including as a result of the shift to work-from-home arrangements resulting from the COVID-19 pandemic, has heightened these cybersecurity and privacy risks, including risks from cyber attacks such as phishing, spam emails, hacking, social engineering, and malicious software. We have expended and may continue to expend significant capital and other resources to protect against data incidents, cyber attacks, or security breaches or to alleviate or mitigate problems caused by data incidents, cyber attacks, or security breaches.

Despite our implementation of security and privacy measures designed to ensure data security and compliance with applicable laws and rules, our network, systems, and services are vulnerable to these threats. Because techniques used to attack or compromise our systems change frequently and generally are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventive security measures. Although we train and monitor our employees, it is possible that our employees may, intentionally or unintentionally, act in ways that create security vulnerabilities, present security risks to the network, or otherwise compromises our security measures and our systems. If our security measures are unable to safeguard our network, systems, and services, and the confidential, proprietary, personal, and protected health information stored and processed thereon, someone may be able to obtain unauthorized access to our network, systems, and software, as with the security incidents described below, and then employee, client, or patient data thereon. As a result, our reputation could be damaged, we could lose clients or business partners, our business may suffer, and we could face damages for contract breach, penalties for violation of applicable laws or regulations and significant costs for remediation and remediation efforts to prevent future occurrences, all of which could have a material adverse effect on our business, operations, and financial results.

We rely upon our clients as users of our system for key activities to promote security of the system and the data within it, such as administration of client-side access credentialing and control of client-side display of data. On occasion, our clients have failed to perform these activities. Failure of clients to perform these activities may result in claims against us that this reliance was misplaced, which could expose us to significant expense and harm to our reputation even though our policy is to enter into business associate agreements with our clients. In addition, our clients may authorize or enable third parties to access their client data or the data of their patients on our systems. Because we do not control such access, we cannot ensure the complete propriety of that access or integrity or security of such data in our systems.

Violations of state or federal privacy or data security laws may result in claims against us or may limit or prevent our use of data, which could harm our business. Certain health privacy laws, data breach notification laws, privacy laws, and consumer protection laws may apply directly to our business and/or those of our collaborators and may impose restrictions on our collection, use, storage, and dissemination of individuals’ personal information and protected health information. Patients about whom we obtain personal and health information, as well as the healthcare services clients who share this information with us, may have statutory or contractual rights that limit our ability to use and disclose the information. We may be required to expend significant capital and other resources to ensure ongoing compliance with applicable privacy and data security laws. Claims that we have violated individuals’ privacy rights, violated applicable privacy or data security laws and regulations or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business. This could impair our functions, processes and databases that reflect, contain, or are based upon such data and may prevent use of such data. In addition, this could interfere with or prevent creation or use of rules and analyses or limit other data-driven activities that are beneficial to our business. Moreover, we may be subject to claims or liability for use or disclosure of information by reason of lack of valid notice, permission or waiver. These claims or liabilities could subject us to unexpected costs and adversely affect our operating results.

Data security incidents or security breaches could have numerous material adverse effects on our business and could result in significant liabilities, losses, and damages. In the course of our business operations, we collect, store, process, compile, and transmit confidential information, including personal information, patient health information, financial information and other sensitive information of our employees, our clients, and our clients’ patients. We also use third-party contractors to provide certain of these services, such as the service provides that host our technology platform. Although we train and monitor our employees and have systems and technical, physical, and administrative safeguards in place that we believe are reasonably designed to prevent and detect data security incidents and security breaches, we have no guarantee that these programs and controls will be adequate to prevent all possible security threats, cyber attacks, vulnerabilities, malfeasance, or errors. It is possible that our own employees, or that of our clients and vendors, may engage in conduct that compromises security or privacy.

Unauthorized access to or the compromise of our computer systems or data, or to the computer systems or data of our contractors, could result in the misappropriation or loss of assets or the disclosure of sensitive information, including any resulting from the incidents described below and in Note 17 to our audited financial statements, the corruption of data, disruption of our business operations, damage our reputation, reduce demand for our services, require us to devote financial and other resources to mitigate these breaches, subject us to litigation from our clients or shareholders, as well as actions by regulatory agencies, and result in damages being assessed against us.

17

Table of Contents

In addition, the other systems with which we may interface, such as the internet and related systems may be vulnerable to security breaches, viruses, malware, programming errors, or similar disruptive problems. The effect of these security breaches and related issues could also disrupt our ability to perform certain key business functions and could potentially reduce demand for our services. Accordingly, we have expended significant resources toward establishing and enhancing the security of our related infrastructures, although no assurance can be given that they will be entirely free from potential breach or compromise. Maintaining and enhancing our infrastructure security may require us to expend significant capital in the future.

The success of our strategy to offer our EDI services and SaaS solutions depends on the confidence of our clients in our ability to securely transmit confidential information. Our EDI services and SaaS solutions rely on encryption, authentication and other security technology licensed from third parties to achieve secure transmission of confidential information. We may not be able to stop unauthorized attempts to gain access to or disrupt the transmission of communications by our clients. Anyone who is able to circumvent our security measures could misappropriate or steal confidential user information or interrupt our, or our clients’, operations. In addition, our EDI and SaaS solutions may be vulnerable to viruses, malware, physical or electronic break-ins and similar disruptions.

High-profile security breaches, especially companies supporting the healthcare industry, have increased in recent years, and security industry experts and government officials have warned about the risks of hackers and cyber-attacks targeting information technology products and businesses. Although this is an industry-wide problem that affects other software and hardware companies, we may be targeted by computer hackers because we are a prominent healthcare information technology company and have high profile clients. These risks will increase as we continue to grow our cloud offerings, store and process increasingly large amounts of our clients’ confidential data, including personally identifiable and protected health information, and host or manage parts of our clients’ businesses in cloud-based/multi-tenant information technology environments. We use third party cloud providers in connection with our cloud-based offerings or third-party providers to host our own data, in which case we may have to rely on the processes, controls and security such third parties have in place to protect the infrastructure. Moreover, unauthorized access, acquisition, use, alteration, destruction, or disclosure of such sensitive information, including any resulting from the incidents described below, could result in civil or criminal liability or regulatory action, including potential fines and penalties.

The costs we have had to incur and which we could continue to incur to address any security incidents or security breaches increase our expenses, and our efforts to resolve these problems may not be successful and could result in interruptions, delays, cessation of service and loss of existing or potential clients that may impede our sales, development of solutions, provision of services, or other critical functions. If a cyberattack or other security incident were to allow unauthorized access to or unauthorized acquisition, use, modification, or disclosure of our clients’ or suppliers’ data, personal information or protected health information of patients, our own data, or our information technology systems (much like what occurred in the January and March 2023 incidents described below), or if our products or services are perceived as having security vulnerabilities, we could suffer significant damage to our brand and reputation. This could lead to fewer clients using our products or services and make it more difficult for us to obtain new clients, resulting in reduced revenue and earnings. These types of security incidents could also lead to lawsuits, regulatory investigations and claims, and increased legal liability, such as the lawsuits stemming from the March 2023 security incident as described below and in Note 17 to our audited financial statements.

On January 6, 2023, we became aware of unauthorized access to a limited part of the corporate NextGen Healthcare network, which, upon investigation, revealed that NextGen was the target of a sophisticated cyber attack. We immediately executed our internal response procedures and launched an in-depth forensic investigation with the help of leading third-party forensic experts. We also took measures to contain the threat and to successfully eradicate it from our network. Though our operations returned to normal in relatively short order, out of an abundance of caution, we notified any clients who were impacted by the disruption and incident. Because of the sophisticated nature of the cyber attack on our systems, our in-depth forensic investigation into the nature and full scope of the incident remains ongoing and we continue to perform a detailed and manual review and analysis of the data potentially impacted to understand if any personally identifiable information or protected health information was accessed without authorization during the attack. Impact to personally identifiable information or protected health information belonging to our employees, clients, or patients could trigger data breach notification obligations, which could result in lawsuits from impacted clients, patients, or employees, regulatory inquiries, significant damage to our reputation, loss of sales and clients, and other damages or losses.

Separately, on March 30, 2023, we were alerted to suspicious activity on our NextGen Office (NGO) system. In response, we executed our internal response procedures and launched a forensic investigation with the help of leading third-party forensic experts. We also took measures to contain the incident and contacted law enforcement. From our forensic investigation, we determined that an unknown third-party gained unauthorized access to a limited set of electronically stored personal information on the NGO system between March 29, 2023 and April 14, 2023. We also determined that the unknown third-party accessed the NGO system by using NGO client credentials that appeared to have been stolen from sources or incidents unrelated to us, and then used those credentials to access the NGO system. We performed an analysis and review of the impacted data and discovered that certain personal information belonging to approximately 1 million patients was included in the electronic data accessed during the incident. The information impacted included: name, date of birth, address, and social security number. However, there was no evidence to suggest there was any access or impact to any protected health information or any medical records. On April 28, 2023, we sent written notification to all impacted individuals and offered them 24 months of free fraud detection monitoring and identity theft protection. We also directly notified impacted NGO clients as well as state regulatory authorities and the three credit bureaus.

18

Table of Contents

Following our notification of the data breach, we were named as a defendant in thirteen putative class action lawsuits in the United States District Court for the Northern District of Georgia, all of which assert various claims stemming from the data breach and NextGen Healthcare’s alleged failure to safeguard personal information. These lawsuits seek monetary damages, injunctive and declaratory relief, and attorneys’ fees and costs. We believe we have meritorious defenses to these actions and intend to vigorously oppose the claims asserted in these complaints. We cannot reasonably estimate the range of potential losses that may be associated with these lawsuits because of the early stage of each lawsuit. We also cannot assure you that we will not become subject to other lawsuits, inquiries, or claims relating to or arising from the March incident. Although we maintain cyber-technology liability insurance, it is possible that the ultimate amount paid by us, if we are unsuccessful in defending all of the litigation, will be in excess of our cyber-technology liability insurance coverage applicable to claims of this nature.

Furthermore, even though we carry cyber-technology insurance policies that provide insurance coverage under certain circumstances, we may suffer other losses and costs as a result of the security incidents described above or other security incidents or security breaches that exceed the coverage available under our insurance policies or for which we do not have coverage. In the future, such insurance may not be available on commercially reasonable terms, or at all. Our risk and exposure to these matters remains heightened because of, among other things, the value of healthcare-related data and the interconnectivity and interdependence of third parties to our systems. In addition, publicity related to security incidents, including the security incidents described above, could in the future have a range of other adverse effects on our business or prospects, including causing or contributing to loss of customer confidence, reduced customer demand, reduced customer retention, strategic growth opportunities, and associated retention and recruiting difficulties, some, or all of which could be material.

The occurrence of actual cyber security events, such as the security incidents described above, could magnify the severity of the adverse effects of future incidents on our business. Because the techniques used to obtain unauthorized access, disable, or degrade service, or sabotage information systems can be difficult to detect for extended periods of time and can involve difficult or prolonged assessment or remediation periods even once detected, there can be no assurance that the steps we take in response to an incident, including the security incidents identified above, will be sufficient to prevent future significant incidents. As threats continue to evolve and increase, we have already devoted and expect to continue to devote significant resources in order to modify and enhance our security controls and to identify and remediate any security vulnerabilities. Our risk and exposure to these matters remains heightened because of, among other things, the value of healthcare-related data and the interconnectivity and interdependence of third parties to our systems.

We may experience interruption at our data centers or client support facilities, which could interrupt clients’ access to their data, exposing us to significant costs and reputational harm. We perform data center and/or hosting services for certain clients, including the storage of critical patient and administrative data and the provision of support services, at company-managed facilities and through third party hosting arrangements with public cloud providers. We also use public cloud providers and other third parties in connection with hosting our own data. While we control and generally have exclusive access to our servers and all of the components of our network that are located in our external data centers, we do not control the operation of these facilities and they may be vulnerable to damage or interruption from hurricanes, earthquakes, floods, fires, power loss telecommunications failures and similar events. Likewise, our use of a single cloud vendor could increase our exposure to interruptions if the vendor were to experience a catastrophic event impacting its service offering. System redundancy, disaster recovery and other continuity measures may be inadequate. Any interruption, damage or breach of our systems or with those of third parties on which we rely, such as our cloud service providers, could damage our reputation, cause us to lose existing clients, hurt our ability to obtain new clients, result in significant revenue loss, create potential liabilities for our clients and us and increase insurance and other operating costs.

Our business depends on continued and unimpeded access to the internet and we rely on bandwidth providers, data center providers, and other third parties over which we exercise limited control. We deliver products and services that are dependent on the development and maintenance of the infrastructure of the internet and other telecommunications services by third parties. Any failure or interruption in the services provided by these third parties or our own systems, or any failure of or by third-party providers’ systems or our own systems to handle current or higher volume of use, could significantly harm our business. We exercise limited control over our third-party suppliers, which increases our vulnerability to problems with services they provide. In the event of any difficulties, outages and delays by internet service providers, we may be impeded from providing services, which could result in substantial costs to remedy those problems or negatively impact our relationship with our clients, our business, results of operations and financial condition.

Our products or services could fail to perform properly due to errors or similar problems which could have an adverse effect on our business, results of operations and financial condition. Our products and services, and the third-party software products or services incorporated therein, may contain defects or errors, including errors in the design, coding, implementation, or configuration, which could create vulnerabilities and affect the ability of our products and services to properly function, integrate or operate with other offerings, or achieve market acceptance. This includes third-party software products or services incorporated into our own solutions and services. Errors and defects in our products and services can also result in data loss or corruption or cause the information that we collect to be incomplete or inaccurate. In addition, errors may arise from interface of our solutions with systems and data that we did not develop and the function of which is outside our control or undetected in our testing. As a result, when problems occur, it may be difficult to identify the source of the problem. It is possible that errors may be found after introduction of new products or services or enhancements to existing products or services. If we detect errors before we introduce a solution, we may have to delay deployment for an extended

19

Table of Contents

period while we address the problem. If we do not discover errors until after deployment, we may need to provide enhancements to correct such errors. Remediating product defects and errors could consume our development and management resources. Quality or performance issues with our products and services may result in product-related liabilities, unexpected expenses, and diversion of resources to remedy errors, harm to our reputation, lost sales, delays in commercial releases, delays in or loss of market acceptance of our solutions, license termination or renegotiations, and privacy or security vulnerabilities. Any of the foregoing could materially and adversely impact our reputation as well as our business, financial condition, and operating results.

We may be liable for use of content we provide. We provide content for use by healthcare providers in treating patients. Certain of this content is provided by third-party content suppliers. In addition, certain of our solutions provide applications that relate to patient clinical information. If this content is incorrect or incomplete, adverse consequences may occur and give rise to third party claims based on the nature and content of health information provided or made available through our solutions. We could also be subject to liability for content that may be accessible through our website or third-party websites linked from our website or through content and information that may be posted by users in chat rooms, bulletin boards or on websites created by professionals using our applications. Even if these claims do not result in liability to us, investigating and defending against these claims could be expensive and time consuming and could divert management’s attention away from our operations.

We may be subject to claims for system errors, warranties, or product liability, which could have an adverse effect on our business, results of operations and financial condition. Because our products and services are used in clinical settings to collect, store and display health-related information used in the diagnosis and treatment of patients and for related practice management purposes, such as admissions and billing, our clients and users of our systems have a heightened sensitivity to errors and defects. If our products or services are alleged to have contributed to faulty clinical decisions, injury to patients or negative financial impact to clients, we might be subject to claims or litigation by our clients or their patients. Any failure by our products to provide accurate and timely information concerning patients, their medication, treatment, and health status, generally, could result in claims against us which could materially and adversely impact our financial performance, industry reputation and ability to market new system sales. In addition, a court or government agency may take the position that our delivery of health information directly, including through licensed practitioners, or delivery of information by a third-party site that a consumer accesses through our websites, exposes us to assertions of malpractice, other personal injury liability, or other liability for wrongful delivery/handling of healthcare services or erroneous health information. We maintain insurance to protect against claims associated with the use of our products as well as liability limitation language in our end-user agreements, but there can be no assurance that our insurance coverage or contractual language would adequately cover any claim asserted against us. A successful claim or series of claims brought against us in excess of or outside of our insurance coverage could have an adverse effect on our business, results of operations and financial condition. Even unsuccessful claims could result in our expenditure of funds for litigation and management time and resources.

We are subject to the effect of payer and provider conduct which we cannot control and accordingly, there is no assurance that revenue for our services will continue at historic levels. We offer certain electronic claims submission products and services as part of our product line. While we have implemented certain product features designed to maximize the accuracy and completeness of claims submissions, these features may not be sufficient to prevent inaccurate claims data from being submitted to payers. Should inaccurate claims data be submitted to payers, we may be subject to liability claims. Electronic data transmission services are offered by certain payers to healthcare providers that establish a direct link between the provider and payer. This process reduces revenue to third party EDI service providers such as us. A significant increase in the utilization of direct links between providers and payers would reduce the number of transactions that we process and for which we are paid, resulting in a decrease in revenue and an adverse effect on our financial condition and results of operations.

We face risks related to the periodic maintenance and upgrades that need to be made to our products. As we continue to develop and improve upon our technology and offerings, we need to periodically upgrade and maintain the products deployed to our clients. This process can require a significant amount of our internal time and resources and be complicated and time consuming for our clients. Certain upgrades may also pose the risk of system delays or failure. If our periodic upgrades and maintenance cause disruptions to our clients, we may lose revenue-generating transactions, our clients may elect to use other solutions and we may also be the subject of negative publicity that may adversely affect our business and reputation.

Our failure to obtain licenses for, or our use of, third-party technologies and services could harm our business. We depend upon licenses for some of the technology used in our products as well as other services from third party vendors. Most of these arrangements can be continued/renewed only by mutual consent and may be terminated for any number of reasons. We may not be able to continue using the products or services made available to us under these arrangements on commercially reasonable terms or at all. As a result, we may have to discontinue, delay, or reduce product shipments or services provided until equivalent technology or services can be identified, licensed, developed, or integrated, and this inability could harm our business and operating results. Most of our third-party licenses are non-exclusive. Our competitors may obtain the right to use any of the business elements covered by these arrangements and use these elements to compete directly with us. Our use of third-party technologies also exposes us to increased risks, including risks associated with the integration of new technology into our solutions, the diversion of our resources from development of our own proprietary technology and our inability to generate revenue from third-party technologies and services sufficient to offset associated costs which would negatively impact our results of operations. Further, the operation of our products would be impaired if errors occur in third

20

Table of Contents

party technology or content that we incorporate, and we may incur additional costs to repair or replace the defective technology or content. It may be difficult for us to correct any errors in third party products because the products are not within our control.

Regulatory, Legal and Compliance Risks

There is significant uncertainty in the healthcare industry in which we operate, and the current governmental laws and regulations, as well as any future modifications to the regulatory environment, may adversely impact our business, financial condition, and results of operations. The healthcare industry is subject to changing political, economic, legal, and regulatory influences that may affect the procurement processes and operation of healthcare facilities and our costs to deliver products and services that enable our clients to meet their compliance requirements. During the past decade, the healthcare industry has been subject to increased legislation and regulation of, among other things, reimbursement rates, payment programs and information technology programs and certain capital expenditures. These health reform laws contain various provisions which impact us and our clients. Some of these provisions have a positive impact, by expanding the use of electronic health records in certain federal programs, for example, while others, such as reductions in reimbursement for certain types of providers, have a negative impact due to fewer available resources. The continued increase in fraud and abuse penalties is expected to adversely affect participants in the healthcare sector, including us. The full impact of healthcare reform legislation and of further statutory actions to reform healthcare payment on our business is unknown, but there can be no assurance that health care reform legislation will not adversely impact either our operational results or the manner in which we operate our business.

As existing regulations mature and become better defined, we anticipate that these regulations will continue to directly affect certain of our products and services, but we cannot fully predict the effect at this time. Healthcare providers may react to these laws and any future proposals, and the uncertainty surrounding such proposals, by curtailing or deferring investments, including those for our products and services. Our efforts to provide solutions that enable our clients to comply with these regulations could be time consuming and expensive and may adversely affect our business model. We have taken steps to modify our products, services, and internal practices as necessary to facilitate our compliance with the regulations, but there can be no assurance that we will be able to do so in a timely or complete manner. Achieving compliance with these regulations could be costly and distract management’s attention and divert other company resources, and any noncompliance by us could result in civil and criminal penalties.

The healthcare industry is heavily regulated and our failure to comply with regulatory requirements could create liability for us and adversely affect our business. As a participant in the healthcare industry, our business, and that of our clients, is subject to a wide array of complex and rapidly changing federal and state laws, regulations, and industry initiatives, including in the areas of information sharing, electronic health record and interoperability standards, e-prescribing, claims processing and transmission, security and privacy of patient data, and healthcare fraud, including laws prohibiting the submission of false or fraudulent claims which apply to healthcare providers and others that make, offer, seek or receive referrals or payments for products or services that may be paid for through any federal or state healthcare program and, in some instances, any private program. These laws are complex and their application to our specific services and relationships may not be clear and may be applied to our business in ways that we do not anticipate. The impact of these regulations on us is both direct, to the extent that we are ourselves subject to these laws and regulations, and also indirect, in terms of government program requirements applicable to our clients for the use of health information technology. Federal and state regulatory and law enforcement authorities have recently increased enforcement activities with respect to Medicare and Medicaid fraud and abuse regulations and other healthcare reimbursement laws and rules. Increases in fraud and abuse penalties may also adversely affect participants in the health care sector, including us.

Other specific risks include, but are not limited to, risks relating to:

Privacy and Security of Patient Information. As part of the operation of our business, we and our third-party service providers collect, process and store significant amounts of sensitive, confidential, and proprietary information, including personally identifiable information, such as payment data and protected health information. U.S. federal, state and local laws and foreign legislation govern the confidentiality of personal and patient medical record information, how that information may be used, and the circumstances under which such information may be released. These regulations govern both the disclosure and use of confidential personal and patient medical record information and require the users of such information to implement specified security and privacy measures. HIPAA regulations apply national standards for some types of electronic health information transactions and the data elements used in those transactions to ensure the integrity, security and confidentiality of health information and standards to protect the privacy of individually identifiable health information and require us to enter into business associate agreements with our clients and vendors. Failure by us to enter into adequate business associate agreements with any client or vendor would place us in violation of applicable standards and requirements and could expose us to liability. We and our clients are also subject to evolving state laws regarding the privacy and security of healthcare information and personal information generally. These rules, and any future changes to privacy and security rules, may increase the cost of compliance and could subject us to additional enforcement actions, which could further increase our costs and adversely affect the way in which we do business.

Foreign regulations, including the EU General Data Protection Regulation (“GDPR”), may impose restrictions on the processing of personal data (including health-data) that, in some respects, are more stringent, and impose more significant burdens on subject businesses, than current privacy standards in the United States. In non-U.S. jurisdictions, we also are

21

Table of Contents

subject to potential restrictions on cross-border transfers of personal data to the United States as well as other countries where we have operations or partnerships.

Data protection regulations impact how businesses, including both us and our clients, can collect and process the personal data of individuals. The costs of compliance with, and other burdens imposed by, such laws, regulations and policies, or modifications thereto, that are applicable to us may limit the use and adoption of our products and services and could have a material adverse impact on our business, results of operations and financial condition. Furthermore, we incur development, resource, and capital costs in delivering, updating, and supporting products and services to enable our clients to comply with these varying and evolving standards. Federal, state and non-U.S. governmental enforcement personnel have substantial powers and remedies, particularly in the EU, to pursue suspected or perceived violations. If we fail to comply with any applicable laws or regulations, we could be subject to civil penalties, sanctions and contract liability and could otherwise damage our reputation. Enforcement investigations, even if meritless, could have a negative impact on our reputation, cause us to lose existing clients or limit our ability to attract new clients.

In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. For example, the PCI DSS requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access.

We may be subject to false or fraudulent claim laws. There are numerous federal and state laws that forbid submission of false information or the failure to disclose information in connection with submission and payment of physician claims for reimbursement. In some cases, these laws also forbid abuse of existing systems for such submission and payment. Any failure of our revenue cycle management services to comply with these laws and regulations could result in substantial liability including, but not limited to, criminal liability, could adversely affect demand for our services and could force us to expend significant capital, research and development and other resources to address the failure. Errors by us or our systems with respect to entry, formatting, preparation or transmission of claim information may be determined or alleged to be in violation of these laws and regulations. Determination by a court or regulatory agency that our services violate these laws could subject us to civil or criminal penalties, invalidate all or portions of some of our client contracts, require us to change or terminate some portions of our business, require us to refund portions of our services fees, cause us to be disqualified from serving clients doing business with government payers and have an adverse effect on our business. Determination by a court that we have violated the FCA may subject us to treble damages, plus mandatory civil penalties for each separate false claim. Even if these matters are not resolved against us, the uncertainty and expense associated with unresolved legal proceedings could harm our business and reputation. It is possible that resolution of one or any combination of more than one legal matter could result in a material adverse impact on our financial position or results of operations.

In most cases where we are permitted to do so, we calculate charges for our revenue cycle management services based on a percentage of the collections that our clients receive as a result of our services. To the extent that violations or liability for violations of these laws and regulations require intent, it may be alleged that this percentage calculation provides us or our employees with incentive to commit or overlook fraud or abuse in connection with submission and payment of reimbursement claims. CMS has stated that it is concerned that percentage-based billing services may encourage billing companies to commit or to overlook fraudulent or abusive practices.

A portion of our business involves billing of Medicare claims on behalf of its clients. In an effort to combat fraudulent Medicare claims, the federal government offers rewards for reporting of Medicare fraud which could encourage others to subject us to a charge of fraudulent claims, including charges that are ultimately proven to be without merit.

Additionally, under the FCA, the federal government allows private individuals to file a complaint or otherwise report actions alleging the defrauding of the federal government by an entity. These suits, known as qui tam actions or “whistleblower” suits may be brought by, with only a few exceptions, any private citizen who believes that he has material information of a false claim that has not been previously disclosed. If the federal government intervenes, the individual that filed the initial complaint may share in any settlement or judgment. If the federal government does not intervene in the action, the whistleblower plaintiff may pursue its allegation independently. Some states have adopted similar state whistleblower and false claims provisions. Qui tam actions under the FCA and similar state laws may lead to significant fines, penalties, settlements or other sanctions, including exclusion from Medicare or other federal or state healthcare programs, which could result in a material adverse impact on our financial position or results of operations

Interoperability and Other Regulatory Standards. Our clients are concerned with and often require that our software solutions and health care devices be interoperable with other third-party health care information technology suppliers. The Cures Act includes numerous provisions intended to encourage this nationwide interoperability. In March 2020, the ONC finalized additional regulations under the Cures Act to enforce the Act’s policy directives relating to data sharing and interoperability. Specifically, it calls on developers of certified EHRs and health IT products to adopt standardized application programming interfaces (“APIs”), which will help allow individuals to securely and easily access structured and unstructured EHI formats using smartphones and other mobile devices. This provision and others included in the rule create a lengthy list of new certification and maintenance of certification requirements that developers of EHRs and other health IT products must meet in order to maintain approved federal government certification status. Meeting and maintaining this certification status will require additional development costs. Other regulatory provisions included in the Cures Act could create compliance costs and/or regulatory risks for the company.

22

Table of Contents

Because these regulations are subject to future changes and/or significant enforcement discretion by federal agencies, the ultimate impact of these regulations is unknown. Market forces or governmental authorities could continue to create software interoperability or other regulatory standards that could apply to our solutions, and if our applicable products or services are not consistent with those standards, we could be forced to incur substantial additional development costs. If our applicable products or services are not consistent with these varying and evolving standards or do not support our clients in their efforts to meet new certification requirements, our market position and sales could be adversely affected, which could materially and adversely impact our financial condition and operating results.

The ONC rule also implements the information blocking provisions of the Cures Act, including identifying reasonable and necessary activities that do not constitute information blocking. Under the Cures Act, the HHS has the regulatory authority to investigate and assess civil monetary penalties of up to $1,000,000 against certified health IT developers found to be in violation of “information blocking” prohibitions. This new oversight and authority to investigate claims of information blocking creates significant risks for us and our clients and could potentially create substantial new compliance costs.

Federal Requirements for the Use of Certified Health Information Technology. Various federal, state and non-government agencies continue to generate requirements for the use of certified health information and technology and interoperability standards which affect the design of such technology. Although the incentive programs available to healthcare providers who implemented EHRs and demonstrated meaningful use under the HITECH Act has expired, the requirements associated with certification and privacy remain in effect. In addition, the Cures Act has tied CEHRT to certain of its policy goals, and participation in Medicare’s alternative payment models has also been conditioned on the adoption of CEHRT. These regulations will also mandate adoption of updated and expanded certified capabilities of CEHRT that our clients must adopt to remain able to participate in the federal programs mentioned earlier. In addition, the ONC has increased its surveillance activities concerning vendor compliance relative to CEHRT.

Where clients have relied on our software as being certified according to applicable HITECH Act technical standards, we may face liability related to any incentive that the physicians received in reliance upon such certification if this certification were to be challenged. Failure to maintain this certification under the HITECH Act could also jeopardize our relationships with customers who are relying upon us to provide certified software and will make our products and services less attractive to customers than the offerings of other EHR vendors who maintain certification of their products. If our clients do not receive or lose expected payments from other incentive pay for value programs this could harm or delay their willingness to purchase future products or upgrades. We also cannot predict the speed at which healthcare providers will participate in the relevant programs or whether healthcare providers will select our products and services at all.

It is also possible that additional regulations or government programs related to electronic health records, amendment or repeal of current healthcare laws and regulations or the delay in regulatory implementation could require us to undertake additional efforts to meet expanded CEHRT standards, materially impact our ability to compete in the evolving healthcare IT market, materially impact healthcare providers' decisions to implement electronic health records systems or have other impacts that would be unfavorable to our business. The costs of achieving and maintaining CEHRT are also significant and because the definition of CEHRT and its use requirements for clients are subject to regulatory changes. We cannot predict the content or effect of possible changes to these laws or new federal and state laws that might govern these systems and services. Our inability to design our systems and services in a manner that facilitates our clients’ compliance with these laws could result in a material adverse impact on our financial position or results of operations.

Electronic Prescribing. The use of our software by physicians to perform a variety of functions, including electronic prescribing, is governed by state and federal law, including fraud and abuse laws. States have differing prescription format requirements and there is significant variation in the laws and regulations governing prescription activity, as federal law and the laws of many states permit the electronic transmission of certain controlled prescription orders, while the laws of several states neither specifically permit nor specifically prohibit the practice. Restrictions exist at the federal level on the use of electronic prescribing for controlled substances and certain other drugs. Some states have passed complementary laws governing the use of electronic prescribing tools in the use of prescribing opioids and other controlled substances, and we expect this to continue to be addressed with regulations in other states. Regulations in this area impose certain requirements which can be burdensome and evolve regularly and may adversely affect our business model.

FDA Regulation of Software as a Medical Device. The U.S. Food and Drug Administration (“FDA”) may in the future determine that our technology solutions are subject to the Federal Food, Drug, and Cosmetic Act. The December 2016 Cures Act clarified the definition of a medical device to exclude certain health information technology such as EHRs; however, the legislation did leave the opportunity for that designation to be revisited if determined to be necessary by changing industry and technological dynamics. As a result, our software may potentially be subject to regulation by the FDA as a medical device. Regulation of our software by the FDA as a medical device would require the registration of the applicable manufacturing facility and software and hardware products, application of detailed record-keeping and manufacturing standards, application of the medical device excise tax, and FDA approval or clearance prior to marketing. An approval or clearance requirement could create delays in marketing, and the FDA could require supplemental filings or object to certain of these applications, the result of which could adversely affect our business, financial condition and results of operations.

Proprietary rights are material to our success, and the misappropriation of these rights could adversely affect our business and our financial condition. We are dependent on the maintenance and protection of our intellectual property, and we rely largely on technical security measures, license agreements, confidentiality procedures and employee nondisclosure agreements to protect our intellectual property. The majority of our software is not patented, and existing copyright laws offer

23

Table of Contents

only limited protection. We may not be able to adequately protect against theft, copying, reverse engineering, misappropriation, infringement or unauthorized use or disclosure of our intellectual property, which could have an adverse effect on our competitive position. Further, the laws of some foreign countries do not protect our proprietary rights to as great an extent as do the laws of the United States and are often not enforced as vigorously as those in the United States.

If we are deemed to infringe on the proprietary rights of third parties, we could incur unanticipated expense and be prevented from providing our products and services. We are occasionally involved in intellectual property infringement or misappropriation claims. These claims, even if unmeritorious, are expensive to defend and are often incapable of prompt resolution. If we are unsuccessful in defending these claims, we could be required to pay a substantial damage award, develop alternative technology, obtain a license, or cease using, selling, offering for sale, licensing, implementing, or supporting the applicable technology. In addition, claims may be brought against third parties from which we purchase software, and such claims could adversely affect our ability to access third party software for our systems.

We face the risks and uncertainties that are associated with litigation and investigations, which may adversely impact our marketing, distract management and have a negative impact upon our business, results of operations and financial condition. We face the risks associated with litigation and investigations concerning the operation of our business, including claims by clients regarding product and contract disputes, by patients relating to the processing and hosting of their personally identifiable information and protected health information, by other third parties asserting infringement of intellectual property rights, by current and former employees regarding certain employment matters, by certain shareholders, and by governmental and regulatory bodies for failures to comply with applicable laws. The uncertainty associated with substantial unresolved disputes may have an adverse effect on our business. In particular, such disputes could impair our relationships with existing clients and our ability to obtain new clients. Defending litigation and investigative matters may require substantial cost and may result in a diversion of management's time and attention away from business operations, which could have an adverse effect on our business, results of operations and financial condition.

We face risks related to litigation advanced by a former director and shareholder of ours. On October 7, 2013, a complaint was filed against our Company and certain of our officers and directors by Ahmed Hussein, a former director and significant shareholder of our Company. The amended complaint generally alleges fraud and deceit, constructive fraud, negligent misrepresentation and breach of fiduciary duty in connection with statements made to our shareholders regarding our financial condition and projected future performance. The amended complaint seeks actual damages, exemplary and punitive damages and costs. Trial commenced on July 6, 2021. On July 29, 2021, a jury rendered a verdict in favor of the Company and the individual defendants on all counts. Plaintiff has appealed the jury verdict. See Note 16, “Commitments, Guarantees and Contingencies,” to our consolidated financial statements included in Part II, Item 8, “Financial Statements and Supplementary Data” of this Form 10-K for additional information.

Capital and Credit Risks

Our credit agreement contains restrictive and financial covenants that may limit our operational flexibility. If we fail to meet our obligations under the credit agreement, our operations may be interrupted, and our business and financial results could be adversely affected. On March 12, 2021, we entered into a revolving credit agreement with various lenders, secured by substantially all of our and our material domestic subsidiaries’ existing and future property. The credit agreement and potential subsequent amendments may include certain customary covenants that impose restrictions on our business and financing activities that could limit our operations or flexibility to take certain actions. The credit agreement also contains certain customary affirmative covenants requiring us to maintain specified levels of financial performance. Our ability to comply with these covenants may be affected by events that could be beyond our control. A breach of these covenants could result in an event of default under the credit agreement which, if not cured or waived, could result in the indebtedness becoming immediately due and payable, which in turn could result in material adverse consequences that negatively impact our business, the market price for our common stock, and our ability to obtain financing in the future. In addition, our credit agreement’s covenants, consent requirements, and other provisions may limit our flexibility to pursue or fund strategic initiatives or acquisitions that might be in the long-term interests of our Company and shareholders.

Our indebtedness and liabilities could limit the cash flow available for our operations, expose us to risks that could adversely affect our business, financial condition and results of operations and impair our ability to satisfy our obligations under the Convertible Notes. Our indebtedness could have significant negative consequences for our security holders and our business, results of operations and financial condition by, among other things:

24

Table of Contents

Our business may not generate sufficient funds, and we may otherwise be unable to maintain sufficient cash reserves, to pay amounts due under our indebtedness, including the Convertible Notes, and our cash needs may increase in the future. In addition, our existing Credit Agreement contains, and any future indebtedness that we may incur may contain, financial and other restrictive covenants that limit our ability to operate our business, raise capital or make payments under our other indebtedness. If we fail to comply with these covenants or to make payments under our indebtedness when due, then we would be in default under that indebtedness, which could, in turn, result in that and our other indebtedness becoming immediately payable in full.

We may be unable to raise the funds necessary to repurchase the Convertible Notes for cash following a fundamental change, or to pay the cash amounts due upon conversion, and our other indebtedness may limit our ability to repurchase the Convertible Notes or pay cash upon their conversion. Noteholders may, subject to a limited exception, require us to repurchase their Convertible Notes following a fundamental change (as defined in the Convertible Note Indenture) at a cash repurchase price generally equal to the principal amount of the Convertible Notes to be repurchased, plus accrued and unpaid interest, if any. In addition, all conversions of Convertible Notes will be settled partially or entirely in cash. We may not have enough available cash or be able to obtain financing at the time we are required to repurchase the Convertible Notes or pay the cash amounts due upon conversion. In addition, applicable law, regulatory authorities and the agreements governing our other indebtedness may restrict our ability to repurchase the Convertible Notes or pay the cash amounts due upon conversion. Our existing Credit Agreement contains certain limitations on cash payments for the conversion, redemption or repurchase of the Convertible Notes, including compliance with certain leverage ratios on a pro forma basis after giving effect to such cash payments. Our failure to repurchase Convertible Notes or pay the cash amounts due upon conversion when required will constitute a default under the Convertible Note Indenture. A default under the Convertible Note Indenture or the fundamental change itself could also lead to a default under agreements governing our other indebtedness, which may result in that other indebtedness becoming immediately payable in full. We may not have sufficient funds to satisfy all amounts due under the other indebtedness and the Convertible Notes.

Provisions in the Convertible Note Indenture could delay or prevent an otherwise beneficial takeover of us. Certain provisions in the Convertible Notes and the Convertible Note Indenture could make a third-party attempt to acquire us more difficult or expensive. For example, if a takeover constitutes a fundamental change, then noteholders will have the right to require us to repurchase their Convertible Notes for cash. In addition, if a takeover constitutes a make-whole fundamental change, then we may be required to temporarily increase the conversion rate. In either case, and in other cases, our obligations under the Convertible Notes and the Convertible Note Indenture could increase the cost of acquiring us or otherwise discourage a third party from acquiring us or removing incumbent management, including in a transaction that noteholders or holders of our common stock may view as favorable.

The accounting method for the Convertible Notes could adversely affect our reported financial condition and results. The accounting method for reflecting the Convertible Notes on our balance sheet, accruing interest expense for the Convertible Notes and reflecting the underlying shares of our common stock in our reported diluted earnings per share may adversely affect our reported earnings and financial condition. In accordance with ASU 2020-06, we expect that the Convertible Notes will be reflected as a liability on our balance sheets, with the initial carrying amount equal to the principal amount of the Convertible Notes, net of issuance costs. The issuance costs will be treated as a debt discount for accounting purposes, which will be amortized into interest expense over the term of the Convertible Notes. As a result of this amortization, the interest expense that we expect to recognize for the Convertible Notes for accounting purposes will be greater than the cash interest payments we will pay on the Convertible Notes, which will result in lower reported income. In addition, we expect that the shares underlying the Convertible Notes will be reflected in our diluted earnings per share using the “if converted” method, in accordance with ASU 2020-06. Under that method, if the conversion value of the Convertible Notes exceeds their principal amount for a reporting period, then we will calculate our diluted earnings per share assuming that all of the Convertible Notes were converted at the beginning of the reporting period and that we issued shares of our common stock to settle the excess. However, if reflecting the Convertible Notes in diluted earnings per share in this manner is anti-dilutive, or if the conversion value of the Convertible Notes does not exceed their principal amount for a reporting period, then the shares underlying the Convertible Notes will not be reflected in our diluted earnings per share. The application of the if-converted method may reduce our reported diluted earnings per share, and accounting standards may change in the future in a manner that may adversely affect our diluted earnings per share. Furthermore, if any of the conditions to the convertibility of the Convertible Notes is satisfied, then we may be required under applicable accounting standards to reclassify the liability carrying value of the Convertible Notes as a current, rather than a long-term, liability. This reclassification could be required even if no noteholders convert their Convertible Notes and could materially reduce our reported working capital.

Uncertainty in global economic and political conditions may negatively impact our business, operating results or financial condition. Global economic and political uncertainty have caused in the past, and may cause in the future, unfavorable business conditions such as a general tightening in the credit markets, lower levels of liquidity, increases in the rates of default and bankruptcy and extreme volatility in credit, equity and fixed income markets. These macroeconomic conditions could negatively affect our business, operating results or financial condition in a number of ways. Instability can make it difficult for our clients, our vendors, and us to accurately forecast and plan future business activities and could cause constrained spending on our products and services, delays and a lengthening of our sales cycles and/or difficulty in collection of our accounts receivable. Current or potential clients may be unable to fund software purchases, which could cause them to

25

Table of Contents

delay, decrease or cancel purchases of our products and services or to not pay us or to delay paying us for previously purchased products and services. Our clients may cease business operations or conduct business on a greatly reduced basis. Bankruptcies or similar insolvency events affecting our clients may cause us to incur bad debt expense at levels higher than historically anticipated. Further, economic instability could limit our ability to access the capital markets at a time when we would like, or need, to raise capital, which could have an impact on our ability to react to changing business conditions or new opportunities. Finally, our investment portfolio is generally subject to general credit, liquidity, counterparty, market and interest rate risks that may be exacerbated by these and global financial conditions and other geopolitical factors, including as a result of the Russian invasion of Ukraine and continuing uncertainty surrounding the effects of Covid-19. If the banking system or the fixed income, credit or equity markets deteriorate or remain volatile, our investment portfolio may be impacted and the values and liquidity of our investments could be adversely affected as well. In addition, our compliance with complex foreign and United States laws and regulations that apply to our global operations and sales efforts increases our cost of doing business.

Tax, Finance and Accounting Related Risks

We are subject to changes in and interpretations of financial accounting matters that govern the measurement of our performance, one or more of which could adversely affect our business, financial condition, cash flows, revenue, results of operations, and debt covenant compliance. Based on our reading and interpretations of relevant guidance, principles or concepts issued by, among other authorities, the American Institute of Certified Public Accountants, the Financial Accounting Standards Board and the Commission, we believe our current business arrangements, transactions, and related estimates and disclosures have been properly reported. However, there continue to be issued interpretations and guidance for applying the relevant standards to a wide range of sales and licensing contract terms and business arrangements that are prevalent in the software industry. Future interpretations or changes by the regulators of existing accounting standards or changes in our business practices could result in changes in our revenue recognition and/or other accounting policies and practices that could adversely affect our business, financial condition, cash flows, revenue and results of operations. In addition, changes in accounting rules could alter the application of certain terms in our credit agreement, thereby impacting our ability to comply with our debt covenants.

Failure to maintain effective internal controls in accordance with Section 404 of the Sarbanes-Oxley Act of 2002 could have an adverse effect on our business, and our per share price may be adversely affected. Pursuant to Section 404 of the Sarbanes-Oxley Act of 2002 (“Section 404”) and the rules and regulations promulgated by the SEC to implement Section 404, we are required to include in our Form 10-K a report by our management regarding the effectiveness of our internal control over financial reporting. The report includes, among other things, an assessment of the effectiveness of our internal control over financial reporting. The assessment must include disclosure of any material weakness in our internal control over financial reporting identified by management. As part of the evaluation undertaken by management and our independent registered public accountants pursuant to Section 404, our internal control over financial reporting was effective as of our most recent fiscal year end. However, if we fail to maintain an effective system of disclosure controls or internal controls over financial reporting, we may discover material weaknesses that we would then be required to disclose. Any material weaknesses identified in our internal controls could have an adverse effect on our business. We may not be able to accurately or timely report on our financial results, and we might be subject to investigation by regulatory authorities. This could result in a loss of investor confidence in the accuracy and completeness of our financial reports, which may have an adverse effect on our stock price. No evaluation process can provide complete assurance that our internal controls will detect and correct all failures within our company to disclose material information otherwise required to be reported. The effectiveness of our controls and procedures could also be limited by simple errors or faulty judgments. In addition, if we continue to expand, through either organic growth or through acquisitions (or both), the challenges involved in implementing appropriate controls will increase and may require that we evolve some or all of our internal control processes. It is also possible that the overall scope of Section 404 may be revised in the future, thereby causing ourselves to review, revise or reevaluate our internal control processes which may result in the expenditure of additional human and financial resources.

Our software products are generally shipped as orders are received and accordingly, we have historically operated with a minimal backlog of license fees. As a result, a portion of our revenue in any quarter is dependent on orders booked and shipped in that quarter and is not predictable with any degree of certainty. Furthermore, our systems can be relatively large and expensive, and individual systems sales can represent a significant portion of our revenue and profits for a quarter such that the loss or deferral of even one such sale can adversely affect our quarterly revenue and profitability. Clients often defer systems purchases until our quarter end, so quarterly revenue from system sales generally cannot be predicted and frequently are not known until after the quarter has concluded. Our sales are dependent upon clients’ initial decisions to replace or substantially modify their existing information systems, and subsequently, their decision concerning which products and services to purchase. These are major decisions for healthcare providers and, accordingly, the sales cycle for our systems can vary significantly and typically ranges from six to twenty-four months from initial contact to contract execution/shipment. Because a significant percentage of our expenses are relatively fixed, a variation in the timing of systems sales, implementations and installations can cause significant variations in operating results from quarter to quarter. As a result, we believe that interim period-to-period comparisons of our results of operations are not necessarily meaningful and should not be relied upon as indications of future performance. Further, our historical operating results are not necessarily indicative of future performance for any particular period. We currently recognize revenue in accordance with the applicable accounting guidance as defined by the FASB. There can be no assurance that application and subsequent interpretations of these pronouncements will not further modify our revenue recognition policies, or that such modifications would not adversely affect our operating results reported in any particular quarter or year. Due to all of the foregoing factors, it is possible that our operating results may

26

Table of Contents

be below the expectations of public market analysts and investors. In such event, the price of our common stock would likely be adversely affected.

Risks Related to our Common Stock

The unpredictability of our quarterly operating results may cause the price of our common stock to fluctuate or decline. Our revenue may fluctuate in the future from quarter to quarter and period to period, as a result of a number of factors including, without limitation:

Our common stock price has been volatile, which could result in substantial losses for investors purchasing shares of our common stock and in litigation against us. Volatility may be caused by several factors including but not limited to:

Furthermore, the stock market in general, and the market for software, healthcare and high technology companies in particular, has experienced extreme volatility that often has been unrelated to the operating performance of particular companies. These broad market and industry fluctuations may adversely affect the trading price of our common stock, regardless of actual operating performance. Moreover, in the past, securities class action litigation has often been brought

27

Table of Contents

against a company following periods of volatility in the market price of its securities. We may in the future be the target of similar litigation. Securities litigation could result in substantial costs and divert management’s attention and resources.

Risks Related to COVID-19

The widespread outbreak of an illness or any other communicable disease, or any other public health crises, such as the COVID-19 pandemic, and the governmental and societal responses thereto, could adversely affect our business, results of operations, and financial position. Widespread outbreaks of disease or other public health crises, such as the COVID-19 pandemic, and responses thereto have in the past and may in the future adversely affect our business and the business of our customers and suppliers. For example, declines in patient volumes at the onset of the COVID-19 pandemic negatively impacted our revenue in the fourth quarter of fiscal 2020, most notably for purchases of software and hardware, and the impact of the disruption also impacted the first half of fiscal 2021, primarily in managed services and EDI, which are volume driven. We may experience further negative financial impacts due to a number of factors, including without limitation:

The magnitude and duration of the disruption and resulting decline in business activity will largely depend on future developments which are highly uncertain and cannot be predicted, including the duration and severity of the pandemic, resurgences or additional “waves” of outbreaks of the virus (including new strains or mutations of the virus), the impact of the pandemic on economic activity, the actions taken by health authorities and policy makers to contain its impacts on public health and the global economy, and the effectiveness of vaccines. Even after the COVID-19 pandemic has subsided, we may experience material adverse impacts to our business because of the global or U.S. economic impact and any recession that has occurred or may occur in the future. Additionally, concerns over the economic impact of the COVID-19 pandemic have caused extreme volatility in financial and capital markets which has and may continue to adversely impact our stock price and may adversely impact our ability to access capital markets. The COVID-19 pandemic may also have the effect of heightening many of the other risks described above.

28

Table of Contents

ITEM 1B. UNRESOLVED STAFF COMMENTS

None.

ITEM 2. PROPERTIES

We are a remote-first company whereby most of our employees either work remotely or have the option to work remotely. Accordingly, we do not maintain a corporate headquarters. We maintain certain physical offices for purposes of collaboration, as needed, and for certain administrative and back-office processing.

We believe that our existing facilities are in good condition and adequate for our current business requirements. Should we continue to grow or change our remote-first strategy, we may be required to lease or acquire additional space. We believe that suitable additional space is available, if needed, at commercially reasonable market rates and terms.

As of March 31, 2023, we leased an aggregate of approximately 189,058 square feet of space with lease agreements expiring at various dates, of which approximately 16,100 square feet of space are utilized for continuing operations and 172,958 square feet of space are being subleased or have been vacated as part of our reorganization efforts, as described further in Note 7, "Leases" of our notes to consolidated financial statements included elsewhere in this Report:

ITEM 3. LEGAL PROCEEDINGS

The information required by Item 3 is incorporated herein by reference from Note 17, “Commitments, Guarantees and Contingencies” of our notes to consolidated financial statements in this Report.

ITEM 4. MINE AND SAFETY DISCLOSURES

Not applicable.

29

Table of Contents

PART II

ITEM 5. MARKET FOR REGISTRANT’S COMMON EQUITY, RELATED STOCKHOLDER MATTERS AND ISSUER PURCHASES OF EQUITY SECURITIES

Market Price and Holders

Our common stock is traded under the symbol “NXGN” on the NASDAQ Global Select Market. At May 12, 2023, there were approximately 601 holders of record of our common stock.

Issuer Purchases of Equity Securities

The following is a summary of our repurchases for the three months ended March 31, 2023 (in thousands, except shares and per share data):

Securities Authorized for Issuance Under Equity Compensation Plans

The information included under Item 12 of this Report, "Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters," is incorporated herein by reference.

30

Table of Contents

Performance Graph

The following graph compares the cumulative total returns of our common stock, the NASDAQ Composite Index and the NASDAQ Computer & Data Processing Services Stock Index over the five-year period ended March 31, 2023 assuming $100 was invested on March 31, 2018 with all dividends, if any, reinvested. The returns shown are based on historical results and are not intended to be indicative of future stock prices or future performance. This performance graph shall not be deemed to be “soliciting material” or “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”) or otherwise subject to the liabilities under that Section and shall not be deemed to be incorporated by reference into any filing of the Company under the Securities Act of 1933, as amended or the Exchange Act.

COMPARISON OF 5 YEAR CUMULATIVE TOTAL RETURN*

Among NextGen Healthcare, Inc., The NASDAQ Composite Index

And The NASDAQ Computer & Data Processing Index

* $100 invested on March 31, 2018 in stock or index, including reinvestment of dividends. Fiscal year ended March 31.

ITEM 6. RESERVED

31

Table of Contents

ITEM 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS

Except for the historical information contained herein, the matters discussed in this management’s discussion and analysis of financial condition and results of operations (“MD&A”), including discussions of our trend analyses, product development plans, business and growth strategies, future operations, financial condition and prospects, share repurchases, developments in and the impacts of government regulation and legislation, and market factors influencing our results, may include forward-looking statements that involve certain risks and uncertainties, all of which are based on current expectations, estimates, and forecasts, and the beliefs and assumptions of our management. Actual results may differ from those anticipated by us as a result of various factors, both foreseen and unforeseen, including, but not limited to, our ability to continue to develop and sell new products and services in markets characterized by rapid technological evolution, consolidation and competition from larger, better-capitalized competitors, our ability to finalize a settlement with the DOJ, cybersecurity and data protection risk and related liabilities, current or potential legal proceedings involving us, shits in our revenue mix that may impact gross margins, and the effect of developments in and the impacts of government regulation and legislation. Many other economic, competitive, governmental and technological factors could affect our ability to achieve our goals, and interested persons are urged to review the risk factors discussed in “Item 1A. Risk Factors” as set forth herein, as well as in our other public disclosures and filings with the Securities and Exchange Commission ("SEC").
 

This MD&A is provided as a supplement to the consolidated financial statements and notes thereto included elsewhere in this Annual Report on Form 10-K ("Report") in order to enhance your understanding of our results of operations and financial condition and should be read in conjunction with, and is qualified in its entirety by, Item 1A Risk factors and the consolidated financial statements and related notes thereto included elsewhere in this Report. Historical results of operations, percentage margin fluctuations and any trends that may be inferred from the discussion below are not necessarily indicative of the operating results for any future period. For information regarding the year ended March 31, 2021, including a year-to-year comparison of our financial condition and results of operations for the years ended March 31, 2022 and March 31, 2021, refer to Item 7, "Management's Discussion and Analysis of Financial Condition and Results of Operations" of our Annual Report on Form 10-K for the year ended March 31, 2022, filed with the SEC on May 18, 2022.
 

Company Overview

NextGen Healthcare is a leading provider of innovative, cloud-based, healthcare technology solutions that empower ambulatory healthcare providers to manage the risk and complexity of delivering care in the United States healthcare system. Our combination of technological breadth, depth, and domain expertise positions us as a preferred solution provider and trusted advisor for our clients. In addition to highly configurable core clinical and financial capabilities, our portfolio includes tightly integrated solutions that deliver on ambulatory healthcare imperatives, including consumerism, digitization, risk allocation, regulatory influence, and integrated care and health equity.

We serve clients across all 50 states. Over 100,000 providers use NextGen Healthcare solutions to deliver care in nearly every medical specialty in a wide variety of practice models including accountable care organizations (“ACOs”), independent physician associations (“IPAs”), managed service organizations (“MSOs”), veterans service organizations (“VSOs”), and dental service organizations (“DSOs”). Our clients range from some of the largest and most progressive multi-specialty groups in the country to sole practitioners with a wide variety of business models. With the addition of behavioral health to our medical and oral health capabilities, we continue to extend our share not only in federally qualified health centers (“FQHCs”) but also in the growing integrated care market.

Our company was incorporated in California in 1974. Previously named Quality Systems, Inc., we changed our corporate name to NextGen Healthcare, Inc. in September 2018, and in 2021, we changed our state of incorporation to Delaware. As a remote-first company, we no longer maintain a principal executive office. Our principal website is www.nextgen.com. We operate on a fiscal year ending on March 31.

Our Vision, Mission and Strategy

NextGen Healthcare’s vision is better healthcare outcomes for all. We strive to achieve this vision by delivering innovative solutions and insights aimed at creating healthier communities. We focus on improving care delivered in ambulatory settings but do so recognizing that the entire healthcare ecosystem needs to work in concert to achieve the quadruple aim… “to improved patient experience, improved provider experience, improve the health of a population, and reduce per capita health care costs.”

Our long-term strategy is to position NextGen Healthcare as both the essential, integrated, delivery platform and the most trusted advisor for the ambulatory practices of the future. To that end, we primarily serve organizations that provide or orchestrate care in ambulatory settings and do so across diverse practice sizes, specialties, care modalities, and business models. These customers include conventional practices as well as new market entrants.

We plan to invest in our current capabilities as well as build and/or acquire new capabilities. In October 2019, we acquired Topaz Information Systems, LLC for its behavioral health solutions. In December 2019, we acquired Medfusion, Inc. for its Patient Experience Platform capabilities (i.e., patient portal, self-scheduling, and patient pay) and OTTO Health, LLC for its virtual care solutions, notably telemedicine. In August 2022, we divested our commercial dental assets, further emphasizing

32

Table of Contents

the company’s focus on serving ambulatory care In November 2022, we acquired TSI Healthcare, LLC ("TSI") for its purpose-built clinical content and differentiated service offerings, which expands the addressable market served by our Enterprise domain, including new specialties, such as rheumatology, pulmonology, and cardiology. The integration of these acquired technologies has made NextGen Healthcare’s solutions among the most comprehensive in the market. Further, we are also actively innovating our business models and exploring new high-growth market domains.

Market Opportunity, and Trends

The scale and scope of the healthcare industry continues to expand. Annual United States healthcare spend today represents nearly $4.1 trillion and ~20% of GDP. A significant portion of this spend is directed towards the treatment of chronic conditions and administrative solutions that service an increasingly complex system with diverse stakeholders. While there are several convergent market forces reshaping the healthcare industry landscape, we are focused on six trends we believe will materially impact the markets we participate in and our customer value proposition:

NextGen Healthcare is well positioned to play a key role in guiding our clients through short-term and long-term changes that impact healthcare in the United States and is committed to helping them deliver better outcomes.

Our Value Proposition

NextGen Healthcare’s value proposition to our clients can be summarized by the four “I’s” as follows:

33

Table of Contents

NextGen Healthcare delivers value to our clients in several ways. Our solutions enable our clients to address current needs while preparing for the needs of the future including expanding access to health services, enhancing the coordination and management of care, and optimizing patient outcomes while also ensuring the sustainability of their practices. Specifically, we offer a range of solutions to allow clinicians to practice anywhere and work in new and innovative collaboration models.

NextGen Healthcare provides integrated cloud-based solutions and services that align with our client’s strategic imperatives. Ultimately, this value is reflected in the overall insights and impact delivered to the client. The foundation for our integrated ambulatory care platform is a core of our industry-leading EHR and practice management (“PM”) systems that support clinical, financial and patient engagement activities.

We optimize the core with an automation and workflow layer that gives our clients control over how platform capabilities are implemented to drive their desired outcomes. The workflow layer includes mobile and voice-enabled capabilities proven to reduce physician burden. Recognizing that engaged patients are key to positive outcomes, our patient experience platform enables our clients to create personalized care experiences that enhance trust and drive patient loyalty. Further, we support the advances in integrated care that focus on the whole person with solutions supporting behavioral and oral health. Our cloud-based population health and analytics engine allows our clients to improve results in both fee-for-service and fee-for-value environments.

In support of extensibility, we surround the core with open, web-based application programming interfaces (“APIs”) to drive the secure exchange of health and patient data with connected health solutions. Our commitment to interoperability, defragmenting care and our experience powering many of the nation’s HIE’s places us in a unique position to enable our clients to leverage this technology to lower the cost of care and improve the patient and provider experience by providing an integrated community patient record.

Finally, to ensure our clients get maximum value from our solutions, we have augmented our technology with key services aligned with their needs, helping to ensure they reach their organizational goals. We partner with our clients to optimize their information technology (“IT”) operations, enhance revenue cycle processes across fee-for-service and fee-for-value models, service line expansion and operations, as well as advise on long-term strategy.

Positioning NextGen Healthcare for Growth. As NextGen Healthcare applies this value proposition framework across the ambulatory care market, we incorporate some or all our current solution offerings within three broad domains illustrated in Figure 1 below:

34

Table of Contents

Figure 1: NextGen Healthcare Solutions Domains

Results of Operations

The following table sets forth the percentage of revenue represented by each item in our consolidated statements of net income and comprehensive income for the years ended March 31, 2023 and 2022 (certain percentages below may not sum due to rounding):

35

Table of Contents

Revenues

The following table presents our consolidated revenues for the years ended March 31, 2023 and 2022 (in thousands):

We generate revenue from sales of licensing rights and subscriptions to our software solutions, hardware and third-party software products, support and maintenance, managed services, transactional and data services, and other non-recurring services, including implementation, training, and consulting services performed for clients who use our products.

Consolidated revenue for the year ended March 31, 2023 increased $56.8 million compared to the prior year, comprised of a $54.2 million increase in recurring revenues and a $2.6 million increase in software, hardware and other non-recurring revenues. The increase in recurring revenues was driven by $21.4 million higher subscription services, $17.7 million higher managed services revenue, and a $17.2 million increase in transactional and data services, partially offset by a $2.1 million decrease in support and maintenance. The increase in subscription services reflect the incremental revenues associated with the acquisition of TSI and higher subscriptions of our NextGen Office and Insights solutions, including interoperability, virtual visits, mobile, financial analytics, and NextGen Enterprise solutions, due to higher recent bookings. The increase in managed services revenue was primarily due to increases in revenue cycle management ("RCM") services and hosting services associated with higher recent bookings. The increase in transactional and data services revenue was primarily driven by higher bookings and transaction volumes associated with our patient pay solutions, partially offset by a decrease in electronic data interchange (“EDI”) and data services revenue due to lower transaction volume. Support and maintenance decreased primarily due to net client attrition, our continued shift to subscription-based solutions, the negative impact to revenues associated with the acquisition of TSI, which was one of our value-added resellers, and the disposition of our Commercial Dental assets, as described in Note 8, "Business Combinations and Disposals" of our notes to the consolidated financial statements included elsewhere in this Report. The increase in software, hardware, and other non-recurring revenues was primarily due to higher professional services revenue from more hours incurred and projects completed in the current year period, partially offset by a decrease in software license revenue due to lower software bookings.

Bookings reflect the estimated annual value of our executed contracts, adjusted to include the effect of pre-acquisition bookings if applicable, and are believed to provide a broad indicator of the general direction and progress of the business. Total bookings were $166.5 million for the year ended March 31, 2023 compared to $152.5 million in the prior year, primarily reflecting higher bookings of patient pay services, NextGen Enterprise subscriptions, and EDI, partially offset by lower bookings of software and maintenance.

We continue to see overall practice volumes at healthy, pre-pandemic levels. This reflects in our volume- and transaction-based solutions, as noted above, and reflects an ongoing industry trend of procedure volumes migrating out of higher cost settings, like hospitals, favoring lower cost care settings and independent healthcare providers. We also continue to see healthy activity levels in our current pipeline. Sales development activities, such as lead generation and demos, indicate a positive demand environment. We have not been significantly impacted by the current economic concerns and general market conditions, and we continue to constructively engage prospects and our clients to find ways to achieve better outcomes for all.

36

Table of Contents

Cost of Revenue and Gross Profit

The following table presents our consolidated cost of revenue and gross profit for the years ended March 31, 2023 and 2022 (in thousands):

Cost of revenue consists primarily of compensation expense, including share-based compensation, for personnel that deliver our products and services. Cost of revenue also includes amortization of capitalized software costs and acquired technology, third party consultant and outsourcing costs, costs associated with our EDI business partners and clearinghouses, patient pay processing and support costs, hosting service costs, third party software costs and royalties, and other costs directly associated with delivering our products and services. Refer to Note 10, "Intangible Assets" and Note 11, "Capitalized Software Costs" of our notes to consolidated financial statements included elsewhere in this Report for additional information on current period amortization of capitalized software costs and acquired technology and an estimate of future expected amortization.

Share-based compensation expense included in cost of revenue was $3.1 million and $2.2 million for the years ended March 31, 2023 and 2022, respectively.

Gross profit for the year ended March 31, 2023 increased $10.2 million compared to the prior year while our gross margin percentage decreased to 47.6% for the year ended March 31, 2023 compared to 50.5% in the prior year period.

The increase in cost of revenue for the year ended March 31, 2023 compared to the prior year period was primarily due to higher transactional and data costs directly associated with higher recent revenues and bookings of our patient pay services. Recurring cost of revenue, including costs of subscription services and managed services, also increased driven by higher hosting costs, third party costs, and higher salaries and benefits from increased employee headcount related to delivering our software solutions and services, directly associated with higher revenues and bookings. Software, hardware, and other non-recurring services revenue costs increased compared to the prior periods primarily due to higher salaries and benefits from increased employee headcount and an increase in consulting costs associated with the delivery of our professional services as we accelerate Spring’21 migration. These increases in cost of revenue were partially offset by lower amortization of capitalized software costs and acquired intangible assets.

Our gross margin for the year ended March 31, 2023 compared to the prior year period decreased primarily due to increased investments in professional services as we accelerate Spring’21 migration and a shift in product mix to lower margin transactional and data services, including patient pay services, and managed services, as noted above.

Selling, General and Administrative Expense

The following table presents our consolidated selling, general and administrative expense for the years ended March 31, 2023 and 2022 (in thousands):

Selling, general and administrative expense consists of compensation expense, including share-based compensation, for management and administrative personnel, selling and marketing expense, facilities costs, depreciation, professional service fees, including legal and accounting services, legal settlements, acquisition and transaction-related costs, and other general corporate and administrative expenses.

Share-based compensation expense included in selling, general and administrative expenses was $26.1 million and $19.9 million for the years ended March 31, 2023 and 2022, respectively. The increase in share-based compensation expense is due to increased utilization of share-based awards to incentivize our executives and employees. Refer to Note 16, "Stockholders’ Equity" of our notes to consolidated financial statements included elsewhere in this Report for additional information on our share-based awards and related incentive plans.

Selling, general and administrative expenses increased $13.8 million for the year ended March 31, 2023 compared to the prior year period is primarily due to $35.2 million of estimated legal settlement and related costs associated with the DOJ investigation regulatory matter (refer to Note 17, "Commitments, Guarantees and Contingencies" of our notes to consolidated

37

Table of Contents

financial statements included elsewhere in this Report for additional information), increased share-based compensation expense, as noted above, higher travel, conferences, and conventions costs, and incremental acquisition costs associated with the acquisition of TSI in November 2022. These increases were partially offset by higher legal and related costs for our shareholder litigation matter incurred in the prior year period, including an $11.4 million payment related to the indemnification of certain expenses related to the Hussein matter, approximately $9.3 million of incremental proxy contest expenses associated with our prior year annual shareholders’ meeting, and lower facilities and infrastructure costs as we transition to a remote-first company.

Research and Development Costs, net

The following table presents our consolidated net research and development costs, capitalized software costs, and gross expenditures prior to capitalization, for the years ended March 31, 2023 and 2022 (in thousands):