It’s been a problem plaguing companies nationwide - hackers taking control of payroll systems, holding them hostage until the victim pays up.
On December 11, 2021, Ultimate Kronos Group, one of the largest human resources companies in the country was the target of a ransomware attack. On December 12, UMass Memorial Health found out they were one of the victims.
Sergio Melgar, the hospital’s chief financial officer told NBC10 Boston that in his 40 years of working in health care that this is the most devastating payroll attack he’s ever seen.
It crippled their entire system, including payroll, paid time off and schedules. Every employee was impacted by this, but hourly employees may have taken the hardest hit.
Get New England news, weather forecasts and entertainment stories to your inbox. Sign up for NECN newsletters.
Michelle, a registered nurse at UMass Memorial reached out to the NBC10 investigators.
"I'm getting paid zero dollars for hours worked now," she said.
She’s one of thousands in the UMass system not getting the correct pay. The hospital said once the attack happened, they resorted to a “clone pay period,” meaning whatever hours employees worked one week before the attack is what they are currently being paid.
"So if we were on vacation that particular week that they chose or we were sick… then all the checks that we have gotten since are less than what we would normally get paid," said Vicki Walking, a registered nurse at UMass.
Same goes for those who made more money than they typically would.
"They're still getting paid that, but now they're going to have to pay the hospital back," explained Michelle.
UMass Memorial CEO and President Dr. Eric Dickson said they are working to correct the payroll issues and have asked all staff to report any discrepancies in pay.
Dickson told our partners at Spectrum News, "I’m so sorry that this is happening, and we will make sure that you are getting paid appropriately."
But according to Michelle, even after filling out the proper paperwork, her checks are still wrong.
"I'm not getting anything and then I have to fight to get at least some of my hours," she said.
Michelle shared a recent paycheck with the NBC10 Investigators which shows for 48 hours worked, she received zero dollars.
"I have been reimbursed some of the money, but they still owe me tons of money… they're saying, 'oh, we'll reimburse late fees or reimburse, you know, overdraft fees,' but that's not even the real issue. The real issue is what's going to affect people's credit scores now, how are you going to be able to help them with that? You can't."
Another nurse, who wishes to remain anonymous told NBC10 Boston, the hospital paid her a bonus of $150. But after taxes, that number drops down closer to only about $50 – which she says just barely covers her gas to get to work. After coming back from maternity leave, she said this feels like a slap in the face.
A group of nurses are now seeking compensation under the Massachusetts Wage Act. They filed this lawsuit against the hospital this week:
UMass Memorial was not the only hospital impacted by the Kronos ransomware attack. The hospital’s CFO says he spoke with several other hospitals who went through the same experience. At UMass Memorial, the cyber thieves even compromised their backup plans.
"That's how sophisticated these cyber pirates were… They went through and wiped out everybody at once so that it became essentially, there's no way you get out of this unless you pay the ransom," said Melgar.
UMass told NBC10 Boston that Kronos paid the ransom to get control of their systems. When we asked how much, they sent us this statement - "UKG recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers. We took immediate action to investigate and mitigate the issue, have alerted our affected customers and informed the authorities, and are working with leading cybersecurity experts. We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services."
More NBC10 Investigations
Sam Curry, chief security officer at Cybereason said this type of attack is not unusual, it’s happening worldwide – and now’s the time to get ready.
"There are detection solutions and prevention solutions that can help to stop this or catch it very early. And then there are things you can do to make sure that you bounce back fast, that you're resilient, that you're able to get back up and running very quickly, and that you don't have to bow down to these criminals," said Curry.
The Massachusetts Nurses Association confirmed nurses at UMass Memorial along with nurses at other hospitals have been impacted by this attack. In a statement the MNA said, “It is having a very negative effect on our members at a time when they are already under tremendous pressure and stress during yet another surge in the pandemic. Some of our members have been overpaid, some have been underpaid and some have received $0 paychecks. UMass administration has been in contact with us from the very onset of this attack and stated that they are committed to ensuring every nurse is made whole and has been working to make sure those most impacted have their situation addressed first.
However the process of making sure nurses pay is corrected needs to happen faster and we have just filed a grievance about this process to move the administration to do everything they can to speed up the process. We are also pursuing a complaint through the office of the attorney general to ensure the employer meets its legal obligation under wage and hour laws.
While we recognize they are not responsible for the attack, they are responsible for ensuring nurses and the rest of the frontline caregivers impacted by this situation will not suffer additional hardship as they battle another wave of the pandemic."
The hospital told NBC10 they have an entire team dedicated to fixing this problem.
"We certainly don't think this is the employees' fault. It's certainly not our fault, but we're going to do whatever we can to make sure employees are not harmed as a result of this," said Melgar.
But nurses like Michelle, still want answers.
"No one wants to pick up shifts because as much as we're saying, 'Oh yeah, we'll get reimbursed,' it's like when? No one wants to work for free, especially in a pandemic," she said.
On January 19, UMass Memorial told NBC10 their software has been tested and is now working – which means paychecks should reflect accurate pay for time worked. As for any errors in previous paychecks, that could take months to correct.