Cheyenne area payroll hit by ransomware attack | Local News

CHEYENNE – More than 2,000 employees were affected when software used by the Cheyenne Regional Medical Center and its global health system for timekeeping and payroll processing was targeted by a phishing ransomware attack over large scale, the Wyoming Tribune Eagle has learned.

This incident apparently angered some CRMC employees, and it caused some to be overpaid and later have to reimburse their employer for money they had been wrongly paid that was not really due to staff members. Meanwhile, others were underpaid and the hospital was paying their paychecks in full. Some of the systems that CRMC uses for human resources and related issues have been down for several months as the software vendor worked to completely fix all of its systems.

Software company Kronos’ workforce management system, Kronos Private Cloud, crashed on December 11. This KPC outage affected 15,000 employers in the United States and around the world, according to a written statement from Joanna Vilos of Cheyenne Regional, its director of human resources.

After the payroll software that the health care system relies on shut down, multiple departments “worked tirelessly to manually enter data and ensure that our employees would continue to receive a paycheck,” Cheyenne Regional said in a statement. a previous press release.

“Cheyenne Regional would like to thank everyone in these departments for all they have done to overcome this difficult situation. We would also like to thank our employees for their patience and understanding during this time,” the statement continued.

While Kronos was down, Vilos said, the healthcare system’s payroll department manually processed its employees’ paychecks over five pay cycles.

Kronos became fully functional again in early March, according to the release. When Cheyenne Regional was able to access the payroll system, it “immediately began reconciling all employees’ paychecks,” Vilos said.

Vilos said about 55% of employees were overpaid, while about 45% were underpaid.

“Cheyenne Regional corrected all underpayments, and employees were given multiple refund options to correct overpayments, including refunding Cheyenne Regional over an extended period,” she continued. “We believe our system has been restored accurately for benefits, tax and total compensation purposes, but we encourage employees to schedule an appointment with our payroll team if they have any questions or concerns. concerns about their payroll information.”

No employee personal information was compromised in the attack, Vilos said, thanks to CRMC’s “robust set of cyberattack policies and practices.”

“We are committed to doing everything we can to prevent this from happening again,” the health system statement read.


Vilos wrote that Cheyenne Regional understood that Kronos had “worked diligently to further strengthen their security.”

In an update earlier this month on a website regarding the ransomware incident, Kronos said “the first phase of our restoration process was completed on January 22.” This gave customers (such as the local hospital system) back the “basic functionality — namely, time, scheduling, and HR/payroll capabilities,” according to the company. “Since that time, our team has been diligently focused on restoring additional applications that some of our KPC customers use.”

In an email to the WTE on Saturday, a spokesperson for UKG, which appears to be the owner of Kronos, noted that basic functionality had indeed been restored on January 22. “In light of the global pandemic, we had specialist teams dedicated to healthcare, first responders and similar clients,” according to the rep. “Since the incident occurred, we have been focused on communicating with all of our customers in a transparent and timely manner.”

Cheyenne Regional did not respond to questions about whether any employees had threatened legal action over overpayments or underpayments. UKG/Kronos did not respond to specific questions about CRMC that were sent to Kronos.

At least two health systems, Scripps Health in San Diego and UMass Memorial in Massachusetts, are facing lawsuits related to the Kronos attack.

Phishing occurs when a perpetrator uses an email or text message to trick someone into revealing sensitive information, or clicking on a link or opening an attachment that can deploy malicious software, such as a Ransomware.

Ransomware attacks are “pretty common,” said Mike Borowczak, director of the Cybersecurity Education and Research Center at the University of Wyoming.

Borowczak said the goal of ransomware attacks is usually to collect a ransom by destroying a system.

“The idea is that if I’m an attacker, I’m going to get into your system somehow, I’m going to do something malicious that’s reversible, but that prevents you from doing your job or providing the service you normally provide,” he said.

If the attack victim pays the requested money, the perpetrator can give that person or organization the tools to repair the damage or unlock the affected systems.

“They are holding your information, your data, your systems hostage for capital gain,” Borowczak said.

While ransomware attacks can be perpetrated by anyone, attacks on large operations are typically carried out by organized crime groups or, in some cases, heavily sanctioned nation states that need a way to win. money, said the cybersecurity expert.

Kronos said in early March that its investigation was complete, but the source of the attack was unclear.


Third-party payroll systems are convenient for many businesses. Paying for these services, which run over the Internet and on the payroll company’s servers, means companies don’t need special equipment in their own facilities to handle payroll and time management, Borowczak said.

But online systems have inherent risk, as the recent attack on Kronos demonstrated.

Kronos manages “a massive percentage of enterprise payroll systems,” Borowczak said. According to NPR, about 8 million total employees have been affected, including large companies like FedEx, PepsiCo and Amazon’s Whole Foods, as well as some public employers.

Although a ransomware attack was the cause of Kronos’ recent outage, the cybersecurity expert said it was just one of many things that could cause such a system to go down for an extended period of time. .

Many organizations can’t afford the cost of having duplicate systems for things like payroll, Borowczak said. When such a vital service is taken offline, most companies have to revert to manually managing employee timekeeping and paychecks.

“The ultimate concern here is that the hospital and many others have relied on a cloud service that has become unavailable,” he said. “There are many different reasons why service may be interrupted. (What matters is how) you respond to this disruption as an end business that uses a cloud service or any remote service.

Human Resources Director Vilos said Kronos notified Cheyenne Regional “promptly” of the ransomware attack and resulting outage to its payroll and timekeeping services. She said employees were then told it could remain unreachable for “several weeks” and that “we would initiate our contingency plan to ensure employees would continue to be paid”.

Cheyenne Regional has cyber insurance, Vilos said. However, this insurance could only be used if the hospital was the direct target of an attack, rather than a secondary victim because an external service – in this case, Kronos – was targeted.

Eric Boley, president of the Wyoming Hospital Association, said he was not aware of any other medical facilities in the state that were affected by the Kronos hack. Other hospitals have been victims of ransomware and phishing attacks in recent years, he said, but to his knowledge, “this is the first type of attack against this particular type of software. “.

While Kronos is partly responsible for not being able to deliver promised services, the ultimate responsibility for continuing payroll functions in these situations rests with the employer, Borowczak said.

According to Boley, state medical facilities use “all types of cyber security safeguards.” But “attacks continue to happen on a daily basis,” he said.

“We’re learning from federal authorities that it’s not a question of if a facility will be attacked,” Boley said, “but when.”

About Yvonne Lozier

Check Also

OSU Wexner Medical Center to Provide Services to Future Hilliard Community Center

Nearly a year in the making, the collaboration between The Ohio State University Wexner Medical …