Scripps Health Faces Lawsuit Over Kronos Data Breach

March 24, 2022 - Employees proposed a class-action lawsuit against Scripps Health, alleging that the San Diego health system failed to accurately log employee hours in the aftermath of the Kronos data breach in December.

On March 15, NBC San Diego reported that Scripps Health nurses were finally receiving checks for overtime hours worked months ago. The report said that it would be months before the employees would be paid in full for hours they worked in December and January.

Kronos, an HR management solutions provider, fell victim to a ransomware attack on December 11 that impacted Kronos Private Cloud customers across multiple industries. UMass Memorial Health, Allegheny Health Network, Care New England, Ascension St. Vincent Hospital, and many other healthcare organizations found themselves implicated in the breach.

“Scripps could have easily implemented a system to accurately record time and properly pay hourly and non-exempt employees until issues related to the hack were resolved. But it didn’t,” the lawsuit stated.

“Instead, Scripps did not pay its non-exempt hourly and salaried employees their full overtime premium for all overtime hours worked, as required by federal and California law. Scripps pushed the cost of the Kronos hack onto the most economically vulnerable people in its workforce.”

Plaintiffs Michelle Franklin and Irene Gamboa alleged that they were not only victims of the Kronos data breach, but of Scripps’ failure to ensure that its workers were paid in a timely manner. The lawsuit claimed that this failure was a violation of the Fair Labor Standards Act.

Franklin, Gamboa, and many other Scripps employees are non-exempt hourly or salaried workers, the lawsuit explained. But the Kronos breach interfered with Scripps’ ability to reliably track hours.  

“Instead, Scripps has used various methods to estimate the number of hours Franklin, Gamboa, and Similarly Situated Workers work in each pay period. For example, Scripps issued paychecks based on their scheduled hours, or simply duplicated paychecks from pay periods prior to the Kronos hack,” the filing alleged.

“This means that employees who were non-exempt and who worked overtime were in many cases paid less than the hours they worked in the workweek, including overtime hours. Even if certain overtime hours were paid, the pay rate would be less than the full overtime premium”

The lawsuit alleged that Scripps could have implemented “any number of methods” to accurately pay its employees, but it instead relied on estimates and arbitrary calculations.

“Franklin, Gamboa, and the Similarly Situated Workers remain uncompensated for the wages and other damages owed by Scripps under federal and California law,” the lawsuit said.

In a March 4 update, Kronos said that its forensic investigation was completed. Only two Kronos customers faced data exfiltration as a result of the incident.

However, the lasting effects of the breach are not yet known. At the very least, the Kronos breach exemplified the dangers of business associate data breaches. Threat actors are increasingly targeting business associates, likely because they can gain access to multiple organizations’ data with just one successful cyberattack.

The Kaseya ransomware attack in July 2021 validated the tactic when threat actors gained access to Kaseya’s systems and paralyzed more than a thousand organizations.

Healthcare organizations should monitor their networks closely and establish thorough business associate agreements in order to mitigate risk.