Incident Response, Ransomware, Supply chain

Cyberattack on payroll vendor Kronos disrupting healthcare workforce paychecks

Ascension St. Vincent is among the healthcare entities impacted by the ongoing network outage at payroll vendor Kronos, brought on by a cyberattack.  (Photo by Cliff Hawkins/Getty Images)

The ongoing ransomware attack and recovery efforts on HR and payroll vendor Kronos is affecting payroll services at some health systems, which includes reduced paychecks for some healthcare employees, according to local news reports. The human resource and payroll vendor is widely used across the healthcare sector.

On Dec. 13, Kronos began notifying its clients that it was facing the impacts of a ransomware attack on its private cloud platform, which hosts the vendor’s Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling solutions. The attack left those platforms unavailable, while Kronos worked to restore system availability for clients.

Companies have been forced to manually track and estimate employee hours, in addition to issuing employees paper checks. On Dec. 21, Fitch Ratings noted the incident could possibly result in paycheck delays and determined healthcare would be most impacted by the Kronos disruption, given the widespread use of Kronos for payroll and workforce solutions across the sector.

Local news outlets are reporting just that: some healthcare employees are finding discrepancies in their paychecks. Penn Highlands Healthcare has been providing regular updates on how the Kronos attack is affecting its payroll. In short, the time and attendance system outage will continue to impact payroll until the system is restored to full function.

Kronos has not provided an updated timeframe for when that might occur. And the vendor can’t advise clients on when the system will be again operational “since each of their thousands of clients must be reactivated individually,” Penn Highlands officials explained.

Penn Highlands employees are manually keeping track of their hours, then manually submitting them to supervisors. The outage is also causing delays with accruals. Employees have also been notified that those who are under- or overpaid will have their pay adjusted when Kronos goes back online.

The University of Missouri Health Care has been facing similar issues. According to ABC KHQA in Columbia, Missouri, MU Health employees have been unable to clock their hours with the Kronos platform for a number of weeks, which has resulted in paychecks that don’t include their full hours.

Some employees reported their paychecks only included half of their normal amount, with others finding even greater discrepancies. Not all hourly employees have been affected, but all workforce members have been encouraged to report issues to their supervisors.

The hospital’s support team has been steadily working on the issue and monetary issues will be rectified within a few days. A spokesperson explained they’re working to develop an alternative timekeeping system to reduce the amount of manual data entry to reduce similar issues.

Other healthcare entities have also been impacted, including Baptist Health, Monument Health, the University of Florida Health, OhioHealth, and Ascension St. Vincent. Monument Health was forced to manually reconstruct shift schedules to ensure the health system could continue operating its care services without interruption.

This week, Care New England reported that the cyberattack forced the health system to pay its 8,000 employees manually. The checks did not include overtime and holiday pay to ensure all workforce members were paid.

UF Health employees have reported similar paycheck issues to those disclosed by MU Health and Care New England.

“Kronos (not clients like us) is still trying to figure out the cloud issue but in the meantime the hospital is keeping track of all hours worked and is paying employees for all overtime, shift differential, etc., as soon as possible,” according to UF Health. Until then, delays should be expected as timesheets are being filled out manually, “but every employee will be paid for all hours worked.”

Other Kronos clients are reporting that some data was potentially accessed as a result of the attack, including the City of Cleveland.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.