In 2019, Heritage Valley Health System based in Beaver, PA took legal action against Nuance Communications because of a NotPetya malware attack in 2017. A federal judge for the US District Court of the Western District of Pennsylvania recently dismissed the lawsuit.
The NotPetya attacks happened sometime after the 2017 WannaCry ransomware attacks and exploited the same flaws in Windows Server Message Block (SMB). The NotPetya ransomware encrypted the vulnerable computer’s master boot record making it useless. The attacks happened in June 2017, which was about three months after the release of a Microsoft patch for resolving the SMB vulnerability.
The NotPetya cyberattack on Nuance Communications resulted in the encryption of 26,000 workstations and 14,800 servers. The magnitude of the attack required the replacement of 9,000 workstations and 7,600 servers. The attack also affected Heritage Valley Health System and the investigation showed that the malware spread to its computer network through a virtual private network (VPN) link with Nuance. As soon as NotPetya was transmitted to Heritage Valley, encryption of its servers and workstations occurred making data inaccessible.
The legal case that Heritage Valley filed against Nuance alleged that the NotPetya cyber attack was the consequence of negligence, governance oversight, and bad security practices. In addition, the lawsuit alleged unjust enrichment and breach of implied contract. Because of the damaged computer systems, Heritage Valley had to put its patient care services on hold for about one week. The health system lost millions as a result of the cyberattack.
The ransomware attack could have been prevented if Nuance had applied the patch three months before the attack. The forensic investigators stated that Heritage Valley was affected because of Nuance. The dismissal of the lawsuit was because of Heritage Valley’s contract with its vendor Dictaphone Inc. signed in 2003. Nuance acquired Dictaphone in 2006.
Heritage Valley asserted that Nuance is responsible for any contractual responsibilities and tort liability stemming from the plaintiff’s utilization of products obtained from Dictaphone. Nuance must also be responsible for bad security practices and governance oversight since it had a wider obligation to avert the cyberattack.
From 2006, in addition to Dictaphone, Nuance had bought over 50 other firms and had over 150 subsidiaries. Making a meaningful integration of bought systems and proper segmentation of Nuance’s expanding worldwide network were difficult. Every acquisition and worldwide expansion increased Nuance’s exposure to cybersecurity risk. At the same time, Nuance lacks the management or resources to adequately protect its network against these risks.
In its motion to dismiss, Nuance contended that it cannot be held responsible for negligence since it wasn’t the party that signed the Master System Procurement Agreement. It was an agreement between Dictaphone and Heritage Valley and Heritage Valley bought the hardware and software program from Dictaphone in 2003. Maintenance of the hardware and software was undertaken via a private portal-to-portal system.
The judge recognized Heritage Valley’s explanation and didn’t challenge the points of the claims, however decided to exempt both Dictaphone and Nuance from product liability claims because external sources were engaged. Nuance cannot be responsible since the 2003 agreement was made between Heritage Valley and Dictaphone.