Analysis: Why a NotPetya Lawsuit Was DismissedCourt Ruling Hinged Primarily on Contractual Issues After a Merger
A federal court’s dismissal of a lawsuit filed against medical transcription company Nuance Communications in the wake of a 2017 NotPetya ransomware attack illustrates how contract terms can affect legal outcomes.
The Western Pennsylvania federal court’s recent decision to dismiss Beaver, Pa.-based Heritage Valley Health System’s lawsuit did not dispute the findings of the forensic investigation into the attack, which shows Heritage was directly affected. Instead, the lawsuit was tossed mainly because of legal issues involving the contractual relationship between Heritage, Nuance and Dictaphone, a company Nuance acquired in 2006. Heritage had signed a contract with Dictaphone before it was sold to Nuance.
Contract, or No Contract?
Heritage’s three counts against Nuance included negligence, “breach of implied in fact contract” and unjust enrichment. The court dismissed all of those counts.
The healthcare organization argued that because Nuance acquired Dictaphone, and because there was a contract between Dictaphone and Heritage, there was also essentially a contract between Nuance and Heritage, says regulatory attorney Marti Arvin of security and privacy consulting firm CynergisTek, who was not involved in the case.
“While this can sometimes be true based on the actions of the parties after the acquisition, in this case, the court found that Heritage had not provided information in its complaint to support this argument. Thus, there was not a contractual duty owed to Heritage by Nuance. “
Breach of implied contract and unjust enrichment claims require allegation of the existence of a contract between Heritage and Nuance, notes technology attorney Steven Teppler, partner of the law firm Mandelbaum Salsburg P.C., who also was not involved in the case.
“As no contract was alleged, the court felt bound to dismiss those claims as well,” he says. “It seems as if the court would have been much more receptive to a breach of contract claim, but the damages would likely have been much less.”
Heritage in its lawsuit said the 2017 NotPetya malware attack against Nuance Communications spread to the healthcare provider’s systems, resulting in "millions in damages … as a result of Nuance’s negligence.”
The lawsuit notes that on the morning of June 27, 2017, after Nuance was hit with NotPetya and the malware continued to spread through the company’s systems, “Nuance was forced to take its client-facing software solutions offline in a belated attempt to stop the malware from spreading to its customers.”
Later on the morning of June 27, 2017, Heritage Valley was also infected by the NotPetya malware. The outbreak eventually affected a majority of Heritage’s servers and workstations by encrypting the file system and files, “making the operating systems unbootable and the files contained on the drives inaccessible,” the lawsuit states.
The malware affected every aspect of the health system’s ability to operate, forcing Heritage to close many of its patient care services for nearly a week, according to the suit, which alleges the healthcare provider suffered millions of dollars in damages, including the replacement of hardware.
A forensics analysis from two independent data sources showed that the malware entered Heritage Valley’s computer network systems “through a trusted virtual private network connection with Nuance,” the lawsuit states.
Heritage alleged that the ransomware attack it suffered was a result of poor security practices and governance oversight at Nuance.
Heritage argued that because Nuance acquired Dictaphone and maintained it as a wholly owned subsidiary, “Nuance is liable for any contractual obligations and tort liability arising from the plaintiff’s use of the products acquired from Dictaphone, and Nuance should be held liable for poor security practices and governance oversight as it had a broader duty to prevent the cyberattack.”
“Check your contractual language. What provisions does your provider have, not only for security, but for business continuity and disaster recovery?”
—Attorney Steven Teppler
Heritage’s complaint also argued that Nuance’s rapid growth through acquisitions created risk. “Since 2006 alone, the company has made more than 50 different corporate acquisitions. As a result of these and other acquisitions Nuance now has more than 150 corporate subsidiaries. More than half of these subsidiaries are headquartered internationally,” the complaint noted.
”With each acquisition and international expansion, Nuance exposed itself and its customers to increasing cybersecurity risk, all the while Nuance did not have the management or funding in place to sufficiently protect against these risks. Nuance’s business connections in the Ukraine and negligent information security practices became a conduit for the NotPetya malware to affect the U.S. healthcare system, including Heritage Valley.”
But in dismissing the lawsuit, the court noted that “broadly speaking, Nuance argues that it cannot be held liable for negligence because it was not a party to the 2003 Master System Procurement Agreement, between [Heritage] and Dictaphone Corp., by which Heritage purchased certain healthcare software and hardware from Dictaphone, [a non-party to the lawsuit], which was maintained through a private portal-to-portal network.”
The court also noted that “a fair reading of the complaint leads us to conclude that the duty at issue exists only by way of the 2003 agreement” with Dictaphone, not Nuance.
Neither Heritage nor Nuance immediately responded to Information Security Media Group’s request for comment on the lawsuit dismissal.
Privacy attorney David Holtzman of the consulting firm HITPrivacy, who was not involved in the case, says the dismissal of the lawsuit spotlights the importance of carefully scrutinizing contractual relationships with vendors that handle sensitive data – including issues involving potential mergers and acquisitions.
”Mergers and acquisitions are common occurrences in the information technology industry. Healthcare organizations need to pay attention to transactions that involve vendors handling your organization’s personally identifiable information,” he notes.
Teppler says the case also serves as a reminder about risks involving managed service providers. ”Managed service providers also mean managed single points of failure,” he says.
“Check your contractual language. What provisions does your provider have, not only for security, but for business continuity and disaster recovery? How does your vendor provision for potential malware attacks? Have a ‘Plan B’ - it will cost extra money, but think of the trade off.”