Incident Response, Security Strategy, Plan, Budget, Ransomware, Threat Management, Data Security, Risk Assessments/Management

Scripps Health sued over ongoing payroll disruption claims, as Kronos fallout continues

Certain Scripps Health employees have sued the California health system over alleged payroll discrepancies caused by disruptions after the months-long outage at Kronos, the payroll and HR vendor. (Photo credit: “Emergency Sign” by Open Grid Scheduler / Grid Engine is marked with CC0 1.0)

Scripps Health is facing a class-action lawsuit filed by employees impacted by the Kronos outages and subsequent payroll disruptions. The San Diego-based health system joins a growing list of providers facing similar legal filings, spurred by the fallout from the December ransomware attack.

Filed in the U.S. District Court of Southern California this week, Michelle Franklin, Irene Gamboa, and other employees are suing Scripps Health for damages caused by alleged failures to pay overtime compensation, pay wages, and record keeping, among other payroll discrepancies.

The legal filing stems from the extended network outages at HR and payroll vendor Kronos, following the deployment of a ransomware attack on Dec. 13. Kronos quickly informed its clients that its private cloud platform was forced offline by the attack, as it worked to recover the affected systems.

The outage lasted for several months, prompting stakeholders to share concerns that healthcare’s hourly employees would be most impacted by the outage. The incident was a topic of discussion at ViVE, where healthcare leaders called on providers to strengthen business continuity to prevent similar disruptions to operations. The Scripps’ lawsuit appears to confirm those suspicisions.

As previously reported, the Kronos outage forced many clients to manually track and estimate employee hours and issue paper paychecks. Fitch Ratings reported that healthcare would be the most impacted by the outage, given the popularity of Kronos for payroll services in the sector.

And by early January, the impact became clear when employees from approximately a dozen health systems reported discrepancies in their paychecks due to the manually reporting mechanisms.

In early March, the lawsuits began trickling in with clients and individuals suing Kronos over the attack and followed by employees suing their employers for improper pay, failure to timely pay employees, and other payroll issues.

The multiple lawsuits filed against Kronos allege the cyberattack was brought on by inadequate security measures, which resulted in the exposure of employees’ personal data and incorrect or incomplete pay. 

One lawsuit filed by Adam Bente in the Southern District of California asserts the outage “could not have come at a worse time, leaving many employees to worry over their privacy and paychecks during the peak of the holiday season” as well as the latest surge of the COVID-19 pandemic.”

Bente is an employee of Family Health Centers of San Diego (FHCSD), where the outage allegedly caused delayed paychecks for “all employees” and “forced employees to find alternative sources of income to pay their bills, mortgages, and necessities.”

“Even after FHCSD got around to distributing paychecks to its employees, many employees were either paid inaccurately and/or not at all,” the lawsuit argues. Despite these allegations, FHCSD is not named in the suit.

For the healthcare sector, additional lawsuits have been filed against Centene (a healthcare insurance giant), MultiCare (filed by several healthcare and nurse unions), University of Massachusetts Memorial Medical Center, and others.

Employee allegations against Scripps Health

The lawsuit against Scripps Health is the latest legal filing in the Kronos fallout, continuing to shed light on business impacts brought on by cyberattacks and gaps in business continuity processes.

According to the filing, Scripps was among other U.S. companies to face disruptions to timekeeping and payroll systems due to the Kronos incident. The outage caused timekeeping and payroll challenges throughout Scripps.

Specifically, “Scripps’ workers who were not exempt from the overtime requirements under federal and state law, were not paid for all overtime hours worked or were not paid their proper overtime premium after the onset of the Kronos hack.”

“Michelle Franklin and Irene Gamboa are both such Scripps workers,” the lawsuit continues. “Scripps could have easily implemented a system to accurately record time and properly pay hourly and non-exempt employees until issues related to the hack were resolved, but it didn’t.”

The lawsuit claims that Scripps didn’t pay its non-exempt hourly and salaried employees the complete overtime premium for all hours worked, which is required by federal and state laws. In detail, the employees claim that the health system hasn’t kept accurate track of employee hours.

Instead, Scripps issued paychecks based on the hours scheduled, “or simply duplicated paychecks from pay periods prior to the Kronos hack. This means that employees who were non-exempt and who worked overtime were in many cases paid less than the hours they worked in the workweek, including overtime hours.”

“Even if certain overtime hours were paid, the pay rate would be less than the full overtime premium,” the lawsuit argues. “Instead of paying Franklin and Gamboa for the hours they actually worked (including overtime hours), Scripps simply paid based on estimates of time or pay, or based upon arbitrary calculations and considerations other than…actual hours worked.” 

The employees allege they were only paid portions of their overtime hours worked and that the rate of pay was not properly calculated for the “overtime premium of at least 1.5 or 2 times the regular rate of pay, including required adjustments for shift differentials and non-discretionary bonuses.”

The lawsuit explains that Scripps is aware of these calculations, as employees were paid accordingly prior to the Kronos outage. Instead, the outage resulted in Scripps “arbitrarily paying” employees, without calculating overtime pay.

“It was feasible for Scripps to have its employees and managers report accurate hours so they could be paid the full and correct amounts of money they were owed for the work they did for the company. But it didn’t do that,” the lawsuit argues.

In short, “Scripps pushed the cost of the Kronos hack onto the most economically vulnerable people in its workforce.” The employees argue that the health system handed the “economic burden of the Kronos hack fall on front-line workers — average Americans — who rely on the full and timely payment of their wages to make ends meet.”

The employees claim that these payroll discrepancies have continued since the outage, further alleging that they’ve still not been paid for their actual hours worked nor have their hours been accurately recorded.

These alleged failures resulted in violation of several state and federal laws, including the Fair Labor Standards Act. The lawsuit is seeking to recover unpaid overtime wages and other damages allegedly owed by Scripps, as the impacted frontline workers were “the ultimate victims of… the Kronos hack.”

“At the time Scripps failed to pay [employees] in full for their overtime hours by their regular paydays, Scripps became liable for all prejudgment interest, liquidated damages, penalties, and any other damages owed under federal and California law,” according to the suit.

“In other words, there is no distinction between late payment and nonpayment of wages under federal or California law,” it continues. ”Even if Scripps made any untimely payment of unpaid wages due and owing to [employees], any alleged payment was not supervised by the Department of Labor or any court.”

It’s been a year of challenges for Scripps, beginning with a monthlong outage and data theft incident caused by a ransomware attack launched in May 2021. The attack caused more than $112.7 million in estimated revenue loss and incremental expenses. The health system is currently defending itself against a breach-related lawsuit, filed by patients in the wake of the attack.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.