Judge throws out Heritage Valley Health System's lawsuit against Nuance over 2017 malware attack

Department of justice
U.S. District Court Judge Robert Colville dismissed the three-count civil lawsuit that the health system filed in 2019 against Nuance Communications. (William_Potter/Getty Images)

Heritage Valley Health System has lost its bid to hold a software company liable for a 2017 malware attack that locked up its computer networks and blocked access to medical files.

Last week, U.S. District Court Judge Robert Colville dismissed the three-count civil lawsuit that the health system filed in 2019 against Nuance Communications.

Heritage Valley Health System, based in Sewickley, Pennsylvania, says it sustained damages when malware from the Russian military-launched “NetPetya” cyber attack in June 2017 entered its computer system through a network connection with Nuance.

Nuance is a provider of voice recognition and natural language processing solutions, including voice dictation technology for doctors.

The health system began contracting with Dictaphone Corp. in 2003 for on-demand voice dictation services. Nuance bought Dictaphone in 2006.

Nuance and its wholly-owned subsidiary Dictaphone were explicitly exempted from product liability involving “external parties,” according to the Judge's ruling.

RELATED: Pennsylvania health system, U.S. drugmaker hit by global ransomware attack

The lawsuit was dismissed with prejudice, preventing Heritage Valley Health System from amending the complaint. 

The health system and Nuance did not immediately respond to a request for comment about the lawsuit's dismissal.

In 2017, the NotPetya malware affected Heritage Valley Health System's entire health system including satellite and community locations. Physicians and nurses were forced to re-draw pre-operative laboratory results, laboratories and x-ray machines were down and some patients had to be diverted to other locations, the health system alleges in the lawsuit.

The integrated healthcare system has 60 physician offices and 18 community satellite facilities throughout Pennsylvania, Ohio and parts of West Virginia.

Heritage Valley alleges it suffered "millions of dollars" in damages as a result of the malware attack including business income loss and costs of repair and restoration of computer network systems.

The lawsuit was filed in the U.S. District Court for the Western District of Pennsylvania.

Heritage Valley Health System was seeking unspecified punitive and compensatory damages plus legal fees and interest.

RELATED: NotPetya cyberattack cost Nuance $53M in Q4, and executives expect a lingering effect in 2018

Nuance Healthcare was one of several organizations hit by the NotPetya cyberattack that infected a number of industries in the last week of June 2017. The malware attack shut down the company’s operation for more than a month and left providers searching for a new transcription service.

The attack cost Nuance $53 million during the fourth quarter of 2017 and the aftershocks of the incident trickled into 2018.

The health system alleged in the lawsuit that the cyber attack’s success was a result of Nuance's "poor security practices and governance oversight."

It alleges Nuance became a victim of the NotPetya malware attack as a result of its own information security failings. 

As Nuance has expanded globally through acquisitions, the company exposed itself and its customers to increasing cybersecurity risk, the health system argued.

"Nuance did not have the management or funding in place to sufficiently protect against these risks. These business practices combined to make Nuance unprotected against an eminently foreseeable cyberattack," the health system said in the lawsuit.

A forensics analysis from two independent data sources showed that the malware entered Heritage Valley’s computer network systems through a trusted virtual private network connection with Nuance, according to the lawsuit.