A federal judge tossed a lawsuit alleging that software company Nuance Communications was responsible for "millions of dollars in damages" a Pennsylvania health system suffered due to a 2017 cyberattack.
Heritage Valley Health System in November sued Nuance in the U.S. District Court for the Western District of Pennsylvania, alleging the company's failure to take proper information security precautions led it to become a victim of NotPetya, a cyberattack that hit major companies across the globe in 2017.
Heritage Valley alleged it suffered damages from NotPetya, which seemingly entered the system through a virtual private network connection with Nuance. Damages included losses from business income, costs to repair and restore computer networks, employee overtime and compensation, and "intangible economic harm including the loss of goodwill," according to the health system's complaint.
Heritage Valley had sought damages and a declaration that Nuance was responsible for reimbursing the health system for future costs associated with the cyberattack.
U.S. District Judge Robert J. Colville last week dismissed the complaint with prejudice.
Heritage Valley in 2003 purchased medical dictation software and an ongoing maintenance plan from Dictaphone Corp., a company Nuance acquired in 2006. Heritage Valley argued in its complaint that it had an implied contract with Nuance, since the health system had continued to use Dictaphone's products since the acquisition.
Heritage Valley argued that since its 2003 agreement involved Dictaphone providing the health system with a secure private network connection, Nuance breached that contractual obligation by providing an allegedly vulnerable connection in 2017.
But Colville in an opinion filed Aug. 13 said the lawsuit failed to demonstrate Nuance had breached an implied contract. As a result, "a fair reading of the complaint leads us to conclude that the duty at issue exists only by way of the 2003 Agreement."
However, the health system did not accuse the company of breaching the 2003 contract, according to Colville. Instead, the health system argued Nuance breached a "broader social duty" to protect its data, and alleged that Nuance had invested into an "acquisition-driven business strategy" at the expense of more robust information security practices.
"The allegations that Nuance owed Heritage Valley a duty to make 'good business decisions' and that Nuance breached that duty by implementing a bad business strategy that invested resources on corporate acquisition instead of cybersecurity is not sufficient to support a claim," Colville wrote.
Hackers had initially directed the NotPetya malware attack at Ukraine in June 2017, but it quickly spread to companies like Merck & Co. and Nuance Communications in the U.S., as well as other businesses abroad.
During the cyberattack, clinicians at Heritage Valley had to re-draw for preoperative laboratory results and divert some patients to other locations, since the health system's severs and computer workstations were encrypted by NotPetya, according to the health system's complaint. Heritage Valley also was forced to close some laboratory and diagnostic services for multiple days.
The health system's acute and ambulatory services were affected for nearly a week, according to the complaint.
Heritage Valley and Nuance did not immediately respond to requests for comment.