Judge Dismisses Heritage Valley Malware Lawsuit Against Nuance

A federal judge for the US District Court of the Western District of Pennsylvania has filed a motion to dismiss the lawsuit against Nuance Communications, filed by Heritage Valley Health System after the 2017 NotPetya malware cyberattack damaged its computer systems. 

Massachusetts-based Nuance was one of hundreds of victims that fell victim to the crippling malware, which affected portions of the vendor’s network and infected some of its clients in the process. The malware infected 14,800 of Nuance’s servers, of which 7,600 had to be replaced. 

The virus also infected 26,000 workstations, of which 9,000 had to be replaced by Nuance. 

NotPetya targeted vulnerabilities in Server Message Block (SMB), encrypting the master boot records of infected Windows computers and rendering the device unusable. The attack methods bore hallmarks to the previous WannaCry attack that also occurred in 2017. 

NotPetya stemmed from an unrelated attack on a Ukranian tax-filing program, which then spread to connected companies and systems. 

Heritage Valley was one of the Nuance clients affected by the vendor’s NotPetya infection, which crippled the health system’s servers and workstations and rendered the operating systems unbootable and files on the infected drives inaccessible. 

An investigation revealed the infection entered through a Virtual Private Network (VPN) connection between the health system and Nuance. 

The health system filed a lawsuit against Nuance in 2019, claiming the vendor was responsible for spreading NotPetya to its system, allegedly caused by negligence and poor “security practices and governance oversight.” 

“It alleges Nuance became a victim of the NotPetya malware attack as a result of its own information security failings,” the lawsuit argued. “The sheer number of Nuance’s corporate acquisitions and the reach and pace of its global expansion combined to make meaningful integration of acquired systems and meaningful segmentation of Nuance’s growing global network difficult.” 

“Moreover, rather than expend the resources necessary to meet this growing cybersecurity risk, Nuance instead did not have or invest in the budget or management that would have been required to adequately address this issue,” it continued. 

Heritage Valley also claimed a breach of implied in fact contract and unjust enrichment. 

Nuance soon moved to dismiss all charges, arguing that the company couldn’t be held liable for negligence as the Master System Procurement Agreement was held between Heritage Health and Nuance’s subsidiary, Dictaphone Co., which Nuance acquired in 2006. 

“[Heritage Valley] purchased certain healthcare software and hardware from Dictaphone, a non-party, which was maintained through a private portal-to-portal network,” according to the lawsuit. “And even if the contractual terms bind it, Nuance argues, the negligence claim should be dismissed on the basis of the gist of the action doctrine.” 

“[Heritage Valley] alleges since Nuance subsequently acquired Dictaphone and maintained it as a wholly-owned subsidiary, Nuance is liable for any contractual obligations and tort liability arising from Plaintiff’s use of the products acquired from Dictaphone, and Nuance should be held liable for poor security practices and governance oversight as it had a broader duty to prevent the cyberattack,” it continued. 

While the judge accepted Heritage Valley’s allegations as factual and viewed “them in light a most favorable,” Nuance and Dictaphone were explicitly exempted from product liability as it involved external sources: the 2003 contract was held between Heritage Valley and Dictaphone, not Nuance. 

The case was dismissed with prejudice, meaning Heritage Valley will not be able to amend the complaint.