Cheyenne Regional payroll impacted by ransomware attack

·7 min read

Mar. 27—CHEYENNE — More than 2,000 employees were affected when the software that Cheyenne Regional Medical Center and its overall health system uses for timekeeping and processing payroll was targeted by a larger scale phishing ransomware attack, the Wyoming Tribune Eagle has learned.

This incident apparently upset some CRMC employees, and it caused some to be overpaid and to have to later reimburse their employer for money they were incorrectly paid that was not really owed to the staffers. Others meanwhile were underpaid, and the hospital was making good on their full paychecks. Some of the systems that CRMC uses for human resources and related issues were down for several months, as the software vendor worked to fully fix all of its systems.

Software company Kronos' workforce management system, Kronos Private Cloud, went down on Dec. 11. This KPC outage affected 15,000 employers in the U.S. and worldwide, according to a written statement from Cheyenne Regional's Joanna Vilos, its chief human resources officer.

After the payroll software the health system relies on went dark, multiple departments "worked tirelessly to manually input data and ensure that our employees would continue to receive a paycheck," Cheyenne Regional said in a previous statement.

"Cheyenne Regional wants to thank everyone in these departments for all they've done to work through this difficult situation. We also want to thank our employees for their patience and understanding during this time," the statement continued.

While Kronos was down, Vilos said, the health system's payroll department manually processed paychecks for its employees over five pay cycles.

Kronos again became fully functional in early March, the statement said. When Cheyenne Regional could access the payroll system, it "immediately began reconciling all employees' paychecks," Vilos said.

Vilos said about 55% of employees were overpaid, while about 45% were underpaid.

"Cheyenne Regional has corrected all the underpayments, and employees have been given several payback options to correct the overpayments, including repaying Cheyenne Regional over an extended period of time," she continued. "We believe our system has been restored to accuracy for purposes of benefits, taxes and overall compensation, but we encourage employees to schedule an appointment with our payroll team if they have any questions or concerns about their payroll information."

No personal employee information was compromised in the attack, Vilos said, thanks to CRMC's "robust set of policies and practices against cyberattacks."

"We are committed to doing all we can to prevent this from happening again," the health system's statement said.

Ransomware

Vilos wrote that it was Cheyenne Regional's understanding that Kronos has "worked diligently to further augment their security."

In an update earlier this month to a website about the ransomware incident, Kronos said that "the first phase of our restoration process was completed on January 22." This restored to customers (such as the local hospital system) the "core functionality — namely, time, scheduling, and HR/payroll capabilities," according to the company. "Since that time, our team has been diligently focused on restoring the additional applications that some of our KPC customers use."

In an email to the WTE Saturday, a spokesperson for UKG, which appears to be the owner of Kronos, noted that the core functionality had indeed been restored by Jan. 22. "In light of the global pandemic, we had specialist teams dedicated to healthcare, first responders, and similar customers," per the representative. "Since the incident occurred, we have focused on communicating with all of our customers in a transparent, timely manner."

Cheyenne Regional did not respond to a question about whether any employees had threatened legal action because of over- or underpayments. UKG/Kronos did not address specific questions about CRMC that were sent to Kronos.

At least two health systems, Scripps Health in San Diego and UMass Memorial in Massachusetts, are facing lawsuits related to the Kronos attack.

Phishing is when a perpetrator uses an email or text message to trick someone into revealing sensitive information, or to click on a link or open an attachment that can deploy malicious software, such as ransomware.

Ransomware attacks are "pretty common," said Mike Borowczak, director of the University of Wyoming's Cybersecurity Education and Research Center.

Borowczak said the goal of ransomware attacks are usually to collect a ransom by taking down a system.

"The idea is, if I'm an attacker, I'm going to get into your system somehow, I'm going to do something malicious that is reversible, but makes it impossible for you to do your job or to provide the service you normally provide," he said.

If the victim of the attack pays the requested money, the perpetrator may give that person or organization the tools to reverse the damage or unlock affected systems.

"They're holding your information, your data, your systems hostage for capital gain," Borowczak said.

Although ransomware attacks can be perpetrated by anyone, attacks on large operations are typically conducted by organized crime groups or, in some cases, heavily sanctioned nation states that need a way to make money, the cybersecurity expert said.

Kronos said in early March that its investigation had been completed, but the source of the attack was unclear.

Risk

Third-party payroll systems are convenient for many companies. Paying for these services, which operate through the internet and on the payroll management company's servers, means businesses don't have to have special equipment within their own facilities to take care of payroll and timekeeping, Borowczak said.

But online systems pose an inherent risk — one demonstrated by the recent attack on Kronos.

Kronos handles "a massive percentage of corporate payroll management systems," Borowczak said. According to NPR, about 8 million total employees were affected, including big companies like FedEx, PepsiCo and Amazon's Whole Foods, as well as some public employers.

Although a ransomware attack was the cause of the recent Kronos outage, the cybersecurity expert said it's just one of many things that could cause such a system to go down for an extended period.

Many organizations can't incur the cost of having duplicate systems for things like payroll, Borowczak said. When such a vital service is taken offline, most companies have to revert to manually managing timekeeping and employee paychecks.

"The ultimate concern here is that the hospital and many others relied on a cloud service that became unavailable," he said. "There's a lot of different reasons why service can be disrupted. (What matters is how) you respond to that disruption as the end company that is utilizing a cloud service, or any service that's remote."

Chief Human Resources Officer Vilos said Kronos notified Cheyenne Regional "promptly" of the ransomware attack and the resulting outage of its payroll and timekeeping services. She said employees were then notified that it could remain inaccessible for "several weeks," and that "we would be initiating our contingency plan to ensure employees would continue to be paid."

Cheyenne Regional does have cyber insurance, Vilos said. However, this insurance could only be used if the hospital was the direct target of an attack, rather than a secondary victim because an external service — in this case, Kronos — was targeted.

Eric Boley, president of the Wyoming Hospital Association, said he was not aware of any other medical facilities in the state having been affected by the Kronos hack. Other hospitals have fallen victim to ransomware and phishing attacks in the past few years, he said, but to his knowledge, "this is the first type of attack on this particular type of software."

While Kronos holds some responsibility for not being able to offer their promised services, the ultimate responsibility of continuing payroll functions in these situations falls to the employer, Borowczak said.

According to Boley, medical facilities around the state use "all types of cybersecurity safeguards." But "attacks continue to come daily," he said.

"We hear from the feds that it is not an issue of if a facility will be attacked," Boley said, "but when."

Hannah Black is the Wyoming Tribune Eagle's criminal justice reporter. She can be reached at hblack@wyomingnews.com or 307-633-3128. Follow her on Twitter at @hannahcblack.