This document outlines Select Medical's information security policy, detailing the protection, access, and handling of company information and data, responsibilities of workforce members, and consequences for policy violations.

Select Medical is concerned about the security of the Information processed and maintained on any computing device used throughout the Company. Information is a critical Company asset and as such must be protected from misuse, improper access, and delays in processing. It is imperative that the following policy be implemented and enforced to ensure the confidentiality, integrity, and availability of Company Information.

Select Medical Information must be protected in a manner commensurate with its sensitivity, value and critical nature. Security measures must be employed regardless of the medium on which Information is stored (i.e., paper, PCs, mobile devices, CDs, tapes, etc, the systems which process it (i.e., PCs, networks, voice mail systems, etc, or the methods by which it is moved (i.e., electronic mail, paper, face-to-face conversation, etc Such protection includes restricting access to Information based on the need-to-know.

This document applies to Select Medical, its subsidiaries and affiliated companies and all personnel accessing Company Property.

Supervisors and managers are responsible for keeping all Workforce members informed of this policy. All Workforce members will be informed of this policy through Compliance training and new-hire orientation and will be required to acknowledge and abide by the policy.

Company: Select Medical and its subsidiaries, affiliates, and joint venture entities managed by

Company Property: All right, title and interest in or to the Hardware, Software, Information, or Data owned, leased, or licensed by the Company.

Corporate Confidentiality Statement (must be used verbatim): Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

Data: Raw, unorganized facts that may be captured, stored, processed, and/or transmitted.

Hardware: All equipment, machinery, tapes, diskettes, or other tangible objects used in the capture, storage, processing, or transmission of Information and Data, including, but not limited to, terminals, personal computers, mobile devices, medical devices, tape or disk drives, monitors, printers, modems or other peripheral equipment, such as disks, diskettes, external hard drives, flash drives, or tapes.

Information: All processed, organized, structured, and/or contextualized Data that may be captured, stored, processed, or transmitted.

Owner of Information: The individual or entity who has a vested interest in, who has been given the authority to allow access to, and who has the responsibility of maintaining the integrity of the Information.

Password: A control word consisting of a minimum of 8 alphanumeric characters with an expiration interval of no more than 90 days, known only to the owner of a UserID. The Password is used to restrict the use of the UserID to a specific individual or, access to Company resources. A Password can also be referred to as a "passphrase."

Software: All computer programs, applications, operating systems, languages, commands, or utilities used in the storage, processing, retrieval, or transmission of Information and Data.

System Fault: An abnormal condition or defect at the component, equipment or sub-system level which may lead to a failure.

UserID: The unique identifier, protected by a changeable Password, which identifies each computer, application, and/or system user.

Workforce: Employees of Select Medical and its subsidiaries, affiliates or entities it manages or controls, volunteers, students and trainees, agency staff, vendors, consultants, contract staff and others whose work performance is under the direct control of Select Medical or its subsidiaries, affiliates or entities it manages or controls.

It is the policy of the Company that:

A. All Information and applications that process Data (which include programs making up operating systems) are Company Property. The Company forbids either the Information or the Software to be given to or viewed by anyone not employed by the Company. Exceptions can be made if the operating manager of the department responsible for the Information or Software gives prior approval.

B. Unless for an approved business process, no Information, Data, or Software shall be downloaded, transferred or otherwise made available to non-Company Hardware or any person who is not a Workforce member without prior permission from the Information Security Department through the Workforce members immediate supervisor and senior leadership.

C. At minimum, the following steps shall be taken to protect Company Information: 1. Control and limit physical access to areas containing Information and/or Data processing resources, to essential personnel. 2. Provide only the level of access necessary (READ, MODIFY and or DELETE) to those

Workforce members with the need to use the Information.

3. Provide necessary procedures to ensure that the transferal or termination of an individual's access is in accordance with their roles and responsibilities within the Company. 4. Provide necessary tools to monitor and enforce security policies. 5. Implement and maintain documented procedures to impede or prevent Workforce members of the Company or third parties from tampering with or misusing

D. All Company Property shall remain the property of the Company, regardless of its origin, including, but not limited to, any Software or Data developed by Workforce members for the Company or using Company Property. The Workforce member hereby assigns to the Company the entire right, title, and interest in and to any Software or Data developed by the Workforce member for the Company, and shall execute any assignments or other documents necessary to effect such assignments. The Workforce member agrees that any Software or Data developed by the Workforce member for the Company or using Company Property shall be deemed a "work made for hire".

E. The Workforce member shall not load or otherwise transfer any Information or Data to any Company Property without prior permission from the Information Security Department unless for an approved business process.

F. No electronic devices connected to Company Property, including but not limited to dialup, VPN, or SSL connections from remote locations, shall be left unattended while signed on unless Password protected. Each Workforce member must ensure that remote connections to Company assets are logged off when not in use and not left unattended unless Password protected. All remote connections should require the user to enter a Password to gain access, and should not make use of any type of feature that would bypass this requirement unless a feature is specifically approved by the Chief Information Officer or Security Officer.

G. Connecting any device not issued by the Information Services department to any Company equipment (workstations, servers, tablets, etc, even for the purposes of providing power, is prohibited, unless authorized by the Information Security department.

H. Remote and/or local area network layer connections to the Company internal network resources are only permitted from Hardware owned by the Company, unless authorized by the Information Security department.

I.While using Company Property, connections to the Internet must not be left unattended, and Internet browsers should be closed when not in use

J.The Workforce member shall not use or install any personal locks on any Hardware, safes,

or storage cabinets for Software, or on any adjacent office equipment. The Company reserves the right to inspect the Workforce member's work area and remove, by any means, any personal locks found to be installed in violation of this policy.

K. The Workforce member shall be solely responsible for any computer activity conducted under the Workforce member's UserID, and shall not disclose his/her UserID and associated Password to anyone, unless authorized beforehand by a member of the Information Security department. The Workforce member shall not in any way attempt to discover the Password of any other Workforce member.

L.The Workforce member shall not use any Company Property, in whole or in part, for

personal reasons, unless authorized by the Workforce member's immediate supervisor.

M. Testing of security systems is prohibited without approval of the Chief Information Officer or Security Officer. Disclosing, capturing, altering, or destroying Information that relates to or creates security exposures is prohibited. All security exposures must be disclosed to the Security Officer or Chief Information Officer as soon as possible. Additionally, users are prohibited from disclosing, changing, or disabling any audit features without the approval of the Information Services department.

N. Workforce members must report all System Faults with Company owned assets or

O. The Workforce member shall not use any Company Property to gain unauthorized access to any Software or Data, whether the property of the Company or a third party.

P. The Workforce member shall not unduly influence or attempt to influence the Company to purchase, lease, or license any Hardware, Software, or Data from a third party vendor with which the Workforce member has had prior dealings.

Q. The Workforce members should not expect privacy with respect to any of their use or access of Company Property. The Company reserves the right and has the legal authority to review any data files, messages, or communications sent, received, or stored on Company Property. Workforce member will adhere to applicable laws and industry standards while utilizing Company equipment and while on Company Property.

R. The environments containing Company Information and Data processing resources shall be adequately protected by using appropriate procedures and technology. Some examples of these would be locked doors or cabinets, fire alarms, suppression devices, and emergency power supplies.

S. All departments that process and maintain Company Information shall ensure that a documented contingency plan is developed to enable the continued availability of important or critical Information in the event of an extended emergency.

T. Unless it has specifically been designated as public, all Company internal Information must be protected from disclosure to third parties. Third parties may be given access to Company internal Information only when demonstrable need-to-know exists, when a Company contractual agreement has been signed, and when such a disclosure has been expressly authorized by the relevant Company Owner of Information. If sensitive Information is lost, or disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, the Information Security department and Compliance department must be notified immediately.

U. All Workforce members who secure Company Property with Passwords or encryption shall turn over the Passwords or decryption keys to the Information Security department upon separation from the Company.

V.If remote access to Company's internal network resources is granted, the Workforce member must maintain a work environment that meets security and confidentiality

requirements for PHI, financial information, and any proprietary Company Information as defined by Company's policies and procedures as well as established law. Workforce

members must not compromise the confidentiality or security of Information due to remote computer access. Workforce members must ensure that confidential Information in any form cannot be accessed and/or viewed by any unauthorized person. It is the Workforce member's responsibility to be aware of their surroundings when viewing sensitive Information in possible public areas.

W. Breaches in the use and handling of sensitive Information such as PHI, PII, PCI, etc. or technology, whether intended or unintended, will be subject to disciplinary action up to and including termination, in accordance with Company's Human Resources policies, procedures and Code of Conduct.

X. The Workforce member shall use any Software purchased, leased, or licensed from third party vendors strictly in accordance with the license agreement and copyright statements for such Software. The Workforce member shall not copy, download or upload any such Software without the prior approval of the Information Security department, and shall not under any circumstances modify any such Software.

Y. The Workforce member acknowledges that any action taken by the Workforce member in violation of this policy may subject both the Workforce member and the Company to criminal and civil liability. In the event that any suit, claim, or demand is asserted against the Company which arises out of the Workforce member's actions in violation of this policy, the Workforce member shall indemnify, defend, and hold harmless the Company from and against all liability, cost, or expense, including attorney's fees. The indemnity contained herein shall survive the expiration or termination of the Workforce member's employment with the Company.

The Workforce member acknowledges that any violation of the above rules and procedures may subject the Workforce member to disciplinary action, including, but not limited to, termination of the Workforce member's employment and civil and criminal proceedings. In the event that the Workforce member's employment is terminated, the Company shall retain all legal or equitable remedies against the Workforce member, and such remedies shall be