Aspen hospital’s payroll struck in ransomware attack

CEO: Employees will still be paid and on time

Despite a ransomware attack that disabled a critical function of Aspen Valley Hospital’s payroll system, employees will still be paid over the holidays and on time, CEO David Ressler said Thursday.

Ultimate Kronos Group — a Massachusetts-based provider of payroll services to hospitals, government entities, educational institutions and large corporations — reported Dec. 11 it had been hacked. In particular, its Kronos Private Cloud, which Aspen Valley Hospital uses, was exploited by the attack.

“So far it’s taken an enormous amount of time across the organization on the part of our payroll to manually process 500 or more paychecks,” said Ressler, noting the hospital set up an incident-command team Wednesday as part of “an all-hands-on-deck effort” to address a situation that comes when the holidays are just cranking up.

“We don’t believe that this is coincidental,” Ressler said of the timing of the attack. “We think that is part of this cyberattack: to inflict maximum pain just before Christmas. It’s horrible and it’s purposeful.”

The bottom line for AVH staff, however, will not take a hit because of it, said Ressler, who also emailed AVH employees Wednesday with assurances that the status of their paychecks — which are issued every other Friday — was not in jeopardy.

“We understand the timing of this malicious attack on Kronos is extremely impactful to AVH and to each of you, if not purposeful on the part of the perpetrators,” the email said. “However, we guarantee you will be paid for your time worked.”

The hospital uses Kronos to track the hours its employees work, attendance, overtime hours, back pay, day- and night-shift pay, for instance.

“There’s an enormous amount of complexity in the information we provide them,” Ressler said.

Whether they are full-time, part-time or on contract, hospital employees punch in and punch out by scanning their badges on Kronos devices located through the facility, and that information is forwarded to AVH’s payroll service, Paylocity, which issues the paychecks.

Yet with Kronos down, the onus is now on employees to manually track their hours and provide them to AVH’s payroll department, which will in turn calculate their pay and forward that information to Paylocity, Ressler said. Employees will receive paper checks or direct deposit like they have received them in the past, Ressler said. The attack did not compromise the employees’ benefits nor did it exploit any of their personal data such as Social Security numbers and bank account information, he said.

Yet while regular hours and emergency hours will be paid, employees who are compensated for being on call, for instance, will be compensated through a reconciliation process.

“Our goal is to get paychecks out on Friday (Dec. 24), as they’re expected, with the information that we’re able to process by that time,” Ressler said.

The CEO noted the attack could have taken a larger toll on AVH if the hospital also used Kronos to handle its payroll, in addition to the time and pay it calculates.

“The good news is that it was only time and attendance information,” he said. “There are many employers that use Kronos for their payroll processing, as well.”

As of Thursday, there was no timetable on when Kronos would return to normal.

“While we are working diligently, our Kronos Private Cloud solutions are currently unavailable,” the company said in a blog post Monday. “Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”

The attack affected approximately 2,000 businesses and organizations, according to the human resources website