Kronos ransomware attack affects timekeeping at 3 area hospitals

Silver Cross Hospital in New Lenox, Morris Hospital and St. Joe’s in Joliet use the Kronos system

AMITA Health Saint Joseph Medical Center Joliet

A company that three local hospitals use for timekeeping and payroll was a victim of a ransomware attack over the weekend and it may affect how employees at one of the hospitals get paid.

Silver Cross Hospital in New Lenox, Morris Hospital and AMITA Health, which includes AMITA Health Saint Joseph Medical Center in Joliet, uses a system from Ultimate Kronos Group for its timekeeping and payroll.

Edward Hospital in Naperville uses another system, according to Keith Hartenberger, systems director and public relations for Edward-Elmhurst Health.

Bob Hughes, UKG executive vice president, said in a written statement on the UKG website, that restoring the system could take several weeks and that companies should “evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”

Pat Meade, a board member of the St. Joseph Nurses Association, which represents union nurses at the Joliet hospital, said communication initially from St. Joe’s was vague and that Kronos had “an unscheduled downtime situation” and that staff should “utilize downtime procedures.”

“Like paper,” Meade said.

Meade said associates were later told to manually keep track of hours worked, perhaps using Microsoft Excel. UKG also recommended manual time collection in the interim on its website on Dec. 14.

Timothy Nelson, system director, communications and media relations for AMITA Health, confirmed Kronos is the vendor for timekeeping for all AMITA Health associates and the ransomware has impacted the health care system.

“We understand the vendor is working around the clock to resolve the issues and are providing internal updates as we receive them from the vendor,” Nelson said in the statement, later adding that staff will receive their paychecks on time.

But Meade said communication from the union said full-time and part-time nurses will be paid at their base rate and nurses who work on an as needed basis will be paid based on the previous pay period.

Meade said that’s unacceptable, especially for nurses who work on COVID units and nurses who worked extra shifts to cover the nursing shortage.

“It’s Christmas and these people aren’t getting their [full] paychecks,” Meade said. “Some people live paycheck to paycheck. They need their money. They need to make it happen. And not, ‘Oh, whatever the base pay is.’”

Making up the full amount on a later check is also unacceptable since Meade fears it will push the total amount into a higher tax bracket.

“If I work a two-week period and I work over, I want my money,” Meade said. “I don’t want it doubled up.”

Meade cannot understand why St. Joe’s doesn’t have timekeeping and payroll information backed up. And Meade is worried that banking information is now also compromised.

“You’re a billion dollar company and you tell me you can’t protect your data, your information?” Meade said. “And everything comes to a grinding halt? And they don’t know how long this is going to be? No date or knowing how they’re going to fix it?”

The Kronos ransomware attack had a “significant impact” at Morris Hospital, too, but the hospital fully intends to process its payroll on schedule next week, Janet Long, public relations manager at Morris Hospital, said in a written statement.

“We are currently implementing downtime procedures utilizing an alternate timekeeping process that was developed internally,” Long said in the statement. “We’re grateful for the skill and talent on our team that gives us an alternate solution.”

Deb Robbins, director of marketing and communications for Silver Cross, also confirmed in a written statement that Silver Cross uses Kronos.

“We’ve been updating our employees and are working diligently to ensure they receive their regularly scheduled paychecks,” Robbins said in the statement.

In a written statement on the UKG website, Bob Hughes, UKG executive vice president, said UKG noticed the unusual activity late on Saturday and determined a ransomware incident was affecting the Kronos Private Cloud. This includes UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions.

“We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities,” Hughes said on the website. “The investigation remains ongoing, as we work to determine the nature and scope of the incident.”