[BreachExchange] Judge Dismisses Heritage Valley Malware Lawsuit Against Nuance

[Destry Winant]

https://healthitsecurity.com/news/judge-dismisses-heritage-valley-malware-lawsuit-against-nuance

A federal judge for the US District Court of the Western District of
Pennsylvania has filed a motion to dismiss the lawsuit against Nuance
Communications, filed by Heritage Valley Health System after the 2017
NotPetya malware cyberattack damaged its computer systems.

Massachusetts-based Nuance was one of hundreds of victims that fell
victim to the crippling malware, which affected portions of the
vendor’s network and infected some of its clients in the process. The
malware infected 14,800 of Nuance’s servers, of which 7,600 had to be
replaced.

The virus also infected 26,000 workstations, of which 9,000 had to be
replaced by Nuance.


NotPetya targeted vulnerabilities in Server Message Block (SMB),
encrypting the master boot records of infected Windows computers and
rendering the device unusable. The attack methods bore hallmarks to
the previous WannaCry attack that also occurred in 2017.

NotPetya stemmed from an unrelated attack on a Ukranian tax-filing
program, which then spread to connected companies and systems.

Heritage Valley was one of the Nuance clients affected by the vendor’s
NotPetya infection, which crippled the health system’s servers and
workstations and rendered the operating systems unbootable and files
on the infected drives inaccessible.

An investigation revealed the infection entered through a Virtual
Private Network (VPN) connection between the health system and Nuance.

The health system filed a lawsuit against Nuance in 2019, claiming the
vendor was responsible for spreading NotPetya to its system, allegedly
caused by negligence and poor “security practices and governance
oversight.”

“It alleges Nuance became a victim of the NotPetya malware attack as a
result of its own information security failings,” the lawsuit argued.
“The sheer number of Nuance’s corporate acquisitions and the reach and
pace of its global expansion combined to make meaningful integration
of acquired systems and meaningful segmentation of Nuance’s growing
global network difficult.”

“Moreover, rather than expend the resources necessary to meet this
growing cybersecurity risk, Nuance instead did not have or invest in
the budget or management that would have been required to adequately
address this issue,” it continued.

Heritage Valley also claimed a breach of implied in fact contract and
unjust enrichment.

Nuance soon moved to dismiss all charges, arguing that the company
couldn’t be held liable for negligence as the Master System
Procurement Agreement was held between Heritage Health and Nuance’s
subsidiary, Dictaphone Co., which Nuance acquired in 2006.

“[Heritage Valley] purchased certain healthcare software and hardware
from Dictaphone, a non-party, which was maintained through a private
portal-to-portal network,” according to the lawsuit. “And even if the
contractual terms bind it, Nuance argues, the negligence claim should
be dismissed on the basis of the gist of the action doctrine.”

“[Heritage Valley] alleges since Nuance subsequently acquired
Dictaphone and maintained it as a wholly-owned subsidiary, Nuance is
liable for any contractual obligations and tort liability arising from
Plaintiff’s use of the products acquired from Dictaphone, and Nuance
should be held liable for poor security practices and governance
oversight as it had a broader duty to prevent the cyberattack,” it
continued.

While the judge accepted Heritage Valley’s allegations as factual and
viewed “them in light a most favorable,” Nuance and Dictaphone were
explicitly exempted from product liability as it involved external
sources: the 2003 contract was held between Heritage Valley and
Dictaphone, not Nuance.

The case was dismissed with prejudice, meaning Heritage Valley will
not be able to amend the complaint.