Ransomware, Data Security, Incident Response

After Kronos fallout, Ascension hospital settles wage dispute lawsuit for $19.7M

One hundred dollar bills with Benjamin Franklin's profile are scattered in a pile.
The Sacred Heart Health System and Ascension Health in Florida settled an employee wage dispute who were affected by a cyberattack on payroll vendor Kronos in December. ("Cash Money (part two)" by jtyerse is licensed under CC BY-NC-ND 2.0.)

Sacred Heart Health System and Ascension Health in Florida have reached a $19.7 million settlement with a number of employees over several wage disputes, some which were tied to the Kronos outage in December 2021 and the payroll disruptions that followed.

The proposal includes just $3.74 million for the “the Kronos collective” for 100% reimbursement of any underpayments from “the first pay period following the Kronos incident,” voluntarily calculated by the health systems to remediate discrepancies for those allegedly underpaid during three affected pay periods.

“In other words, all of the amounts recovered for the Kronos incident claims are amounts that are in addition to any wages that were owed,” according to the proposed settlement.

Ascension Health and Sacred Heart Health “have produced evidence supporting that with respect to the Kronos incident, they reconciled and paid in the pay period directly following their regained access to the Kronos timekeeping system, all unpaid wages and overtime” pay owed to non-exempt employees impacted by the Kronos incident.

As such, these employees will all receive just $40 each from the Kronos portion of the settlement.

The “extraordinary settlement” primarily includes $16 million for employees and “represents a recovery of approximately 1.24 times the amount of the unpaid overtime compensation” calculated during mediation, “even though defendants claim they are not liable at all.”

Health sector suffered greatest from Kronos attack

The health systems were accused of failing to timely compensate employees on leave during the impacted pay periods due to their “flawed response to the ransomware attack.” The employees were seeking back pay damages plus interest, liquidated damages, litigation costs, and attorneys’ fees. 

The lawsuit was among multiple legal filings against other healthcare providers by employees over the wage disputes in the wake of the Kronos incident that forced many of its clients to manually track and estimate employee hours and issue paper paychecks. 

Fitch Ratings noted healthcare would see the greatest impacts from the Kronos cyberattack given the popularity of the vendor. Soon after the outage, the impact became clear as employees from about a dozen health systems reported pay discrepancies due to the manual reporting mechanisms used in response. 

The lawsuits soon followed, including one against Scripps Health that its “workers who weren’t exempt from overtime requirements under federal and state law, weren’t paid for all overtime hours worked or paid their proper overtime premium after the onset of the Kronos hack.”

Similar allegations were made against Sacred Heart and Ascension, accused of “knowing and willful failure to pay their hourly employees — frontline healthcare workers who continue to face heightened risks as we enter the third year of the COVID-19 pandemic — for all hours worked, including overtime, as required by” Florida law.

Many of the allegations stem from the launch of special pay programs to provide “incentive bonuses to non-exempt healthcare employees for working extra shifts during periods of critical staffing shortages due to the ongoing COVID-19 pandemic.” Those bonuses were meant to be continuous and iterative to reflect the ebb and flow of hospitalizations and related staffing.

The nurse behind the suit claimed that despite an expectation they’d receive the bonuses following completion of extra shifts, this did not occur. 

Further, during and directly following the Kronos outage, the health systems’ “flawed solution of copying prior paystubs without accounting for actual hours worked, the wages [employees] earned from the pay period in which the ransomware attack occurred until the present were not paid and have yet to be paid since they were assumed to be zero.”

The proposed settlement applies to all current and former non-exempt employees who worked more than 40 hours in any workweek and who were not paid the proper overtime rate, and all current and former non-exempt employees who received underpaid reconciliation payments during the Kronos outage. The suit estimates this includes more than 57,000 employees.

Those funds will include attorneys’ fees “of up to one-third” of the total settlement amount and reimbursement of the counsel’s “reasonable out-of-pocket costs in an amount up to $10,000.”

The lawsuit is one of the first to be settled in the ongoing Kronos fallout. As previously reported, these payroll issues and legal filings should serve as a warning to other healthcare entities to ensure continuity and alternative plans for all business operations, prioritizing services for necessary functions, including payroll.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.