In 2019, Heritage Valley Health System in Beaver, PA filed a case against Nuance Communications in relation to the 2017 NotPetya malware attack. The case was dismissed by a federal judge in the US District Court of the Western District of Pennsylvania.
In June 2017, attackers used the NotPetya malware to exploit the same Windows Server Message Block (SMB) vulnerability exploited in the WannaCry ransomware attacks. Encryption of the master boot record of a vulnerable computer made it unusable. Sad to say, the attacks happened about three months after Microsoft released the patch to resolve the SMB vulnerability.
Because of the NotPetya attack on Nuance Communications, 26,000 workstations and 14,800 servers were encrypted. The severity of the attack called for 9,000 workstations and 7,600 servers to be replaced. The attack likewise impacted Heritage Valley Health System and the malware reached its computer network via a virtual private network (VPN) linked to Nuance. The moment NotPetya infected Heritage Valley’s systems, its servers and workstations became encrypted so that data could not be accessed.
Heritage Valley took legal action against Nuance alleging that the NotPetya cyber attack would not have happened if not for Nuance’s bad security practices, negligence, governance oversight, breach of implied contract and unjust enrichment. The damaged computer systems, Heritage Valley had to put its patient care services on hold for about one week. The health system lost millions as a result of the cyberattack.
The ransomware attack could have been prevented if Nuance had applied the patch three months before the attack. The forensic investigators reported that Heritage Valley was impacted by the attack because of Nuance. Nevertheless, the lawsuit was dismissed because Heritage Valley’s contract was entered into with Dictaphone Inc. in 2003. In 2006, Nuance just bought Dictaphone.
Heritage Valley claimed that Nuance should be accountable for any contractual responsibilities as well as tort liability arising from the plaintiff’s use of goods received from Dictaphone. Nuance should also be accountable for the bad security practices and governance oversight considering its responsibility to evade the cyberattack.
Since buying Dictaphone in 2006, Nuance has acquired over 50 other companies and now has more than 150 subsidiaries. It was difficult for Nuance to make an efficient integration of acquired systems and correct segmentation of Nuance’s growing international network. The exposure of Nuance to cybersecurity risk increases with every acquisition and global expansion. Further, Nuance does not have enough management or resources to secure its network against cybersecurity risks.
Nuance argued the allegations in its motion to dismiss stating that it cannot be held liable for negligence because it did not sign the Master System Procurement Agreement. Heritage Valley signed an agreement with Dictaphone in 2003 and any purchased hardware and software applications were from Dictaphone. Consequently, hardware and software maintenance should be provided through a private portal-to-portal system.
The federal judge accepted Heritage Valley’s reasoning and didn’t further challenge the points of the claims. He made a decision to excuse both Dictaphone and Nuance from claims of product liability considering that external sources were involved. Nuance was not made accountable since Heritage Valley made an agreement with Dictaphone in 2003.