Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications

In 2019, Beaver, PA-based Heritage Valley Health System filed a lawsuit against its vendor Nuance Communications over its NotPetya malware attack in 2017. The lawsuit was recently dismissed by a federal judge for the US District Court of the Western District of Pennsylvania.

The NotPetya attacks occurred a short time after the WannaCry ransomware attacks in 2017 and targeted the same vulnerability in Windows Server Message Block (SMB). NotPetya encrypted the master boot record of infected computers, rendering them unusable. The attacks occurred in June 2017, more than three months after Microsoft released a patch to fix the SMB vulnerability that was exploited in the attacks.

The cyberattack on Nuance Communications saw 14,800 servers and 26,000 workstations encrypted by NotPetya. The extent of the damage meant 7,600 servers and 9,000 workstations needed to be replaced. Heritage Valley Health System was also affected by the attack, with the investigation revealing the malware had spread to the health system’s computer network via a trusted virtual private network (VPN) connection with Nuance. Once NotPetya was transferred to Heritage Valley, its servers and workstations were also encrypted, preventing the devices from being booted and rendering data inaccessible.

Heritage Valley filed a lawsuit against Nuance alleging the NotPetya cyberattack was the result of negligence and poor security practices and governance oversight. The lawsuit also alleged breach of implied contract and unjust enrichment. The damage to its computer systems forced Heritage Valley to temporarily cancel many of its patient care services for almost a week. The loss of business and damage to computer hardware cost the heath system millions.

The attack on Nuance was certainly preventable, as had Nuance applied the patch in the three months prior to the attack, infection would not have been possible. The forensic investigation also confirmed that Heritage Valley was infected through Nuance. The reason for the lawsuit being dismissed was due to the contract between Heritage Valley and its vendor. Heritage Valley had signed a contract with vendor Dictaphone Inc. in 2003. Dictaphone was acquired by Nuance in 2006.

In the lawsuit, Heritage Valley argued “Nuance is liable for any contractual obligations and tort liability arising from the plaintiff’s use of the products acquired from Dictaphone, and Nuance should be held liable for poor security practices and governance oversight as it had a broader duty to prevent the cyberattack.”

Since the acquisition of Dictaphone in 2006, Nuance had acquired more than 50 other companies and had more than 150 subsidiaries. “The sheer number of Nuance’s corporate acquisitions and the reach and pace of its global expansion combined to make meaningful integration of acquired systems and meaningful segmentation of Nuance’s growing global network difficult,” argued Heritage Valley in the lawsuit. “With each acquisition and international expansion, Nuance exposed itself and its customers to increasing cybersecurity risk, all the while Nuance did not have the management or funding in place to sufficiently protect against these risks.”

In its motion to dismiss, Nuance argued that it could not be held liable for negligence because it was not party to the Master System Procurement Agreement between Dictaphone and Heritage Valley in 2003, through which Heritage Valley purchased hardware and software from Dictaphone. The hardware and software were then maintained through a private portal-to-portal network.

The judge accepted Heritage Valley’s arguments and did not dispute the facts of the claims, but ruled that Dictaphone and Nuance were both exempted from product liability claims as external sources were involved and that Nuance could not be liable as the 2003 contract was signed between Heritage Valley and Dictaphone.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.