Zffoto - stock.adobe.com

Kronos Reaches $6M Settlement Over Ransomware Attack

HR management solutions provider Kronos suffered a ransomware attack on its cloud solution in 2021 that impacted many healthcare organizations.

Kronos, also known as Ultimate Kronos Group (UKG), agreed to pay $6 million to resolve a class action lawsuit over a 2021 data breach. The HR management solutions provider suffered a ransomware attack in December 2021 that impacted Kronos Private Cloud customers across multiple industries, including many in healthcare.

Impacted healthcare organizations struggled with workforce management and payroll services as the recovery process continued well past January 2022, resulting in delayed overtime and holiday pay for some employees.

The class action lawsuit alleged that UKG had failed to implement reasonable cybersecurity procedures to protect against ransomware.

“That breach not only exposed workers’ personal information to cybercriminals, but also crippled timekeeping and payroll systems for millions of employees, resulting in workers who were not paid, paid late, or paid incorrectly,” the complaint stated.

“To compound the matter, the timing of the breach left workers worrying about these financial issues and data concerns in the midst of the holiday season, wondering if they would be able to make ends meet and how long the problem would continue. Those worries proved concrete, as UKG took months to purportedly rectify its security problems.”

The plaintiffs alleged that UKG knew that it was a prime target for hackers, but still failed to prioritize cybersecurity.

To avoid further litigation, UKG agreed to a settlement. Class members who suffered ordinary losses are entitled to up to $1,000 per person. Those who suffered extraordinary losses may receive up to $7,500 per person.

What’s more, UKG agreed to implement updated security measures to harden its systems, including expanding its scanning and monitoring program, deploying additional malware scanning tools, and expanding its cold storage backups.

Additionally, UKG will supplement its internal security operations center monitoring with additional third-party services. All these measures will cost approximately $1.5 million, the settlement stated.

Next Steps

Dig Deeper on Cybersecurity strategies