Recent legal filings from payroll provider UKG suggest the company is in the process of settling at least a portion of the lawsuits filed by workers who were affected by the company’s 2021 ransomware attack and subsequent outage.
In a filing Thursday in the U.S. District Court for the District of Massachusetts, attorneys for UKG and subsidiary Kronos notified parties to a class-action suit brought by employees at UMass Memorial Medical Center, Pallotta v. University of Massachusetts Memorial Center, et. al., that UKG had agreed to settle a separate California case also involving claims based on the outage.
UKG said it executed a settlement agreement and release Wednesday in the California case, In re UKG Inc. Cybersecurity Litigation, which sits before the U.S. District Court for the Northern District of California. On March 23, the federal judge in the California case set an April 28, 2023, deadline for parties to submit a motion for preliminary approval of the settlement agreement in that case.
The claims made by employees in In re UKG “overlap with many of the claims made in [Pallotta],” UKG said in the Thursday filing. The company added that it would submit a copy of the agreement to the Pallotta court once parties to the California case filed the motion for preliminary approval.
According to the complaint in Pallotta, UMass Memorial instituted a “payment freeze” for all hourly employees in the days following an outage to Kronos Private Cloud, a UKG product that the health system used to conduct its payroll. The freeze set wages for the pay periods that followed the outage arbitrarily to the period prior to the freeze, with limited exceptions, plaintiffs claimed.
The plaintiffs alleged that UMass Memorial failed to pay them the full amount of their owed wages in a timely fashion, and that UMass Memorial and UKG’s Kronos were jointly responsible for ensuring that they were properly paid each pay period. Additionally, the plaintiffs alleged the breach gave criminals access to their personally identifiable information and that the defendants thereby put them at risk of identity theft, financial fraud and other harms.
In a previous interview with HR Dive, a UMass Memorial executive confirmed that the Kronos outage left the health system disrupted its payroll and timekeeping systems for more than one month, forcing it to rely on backup timekeeping methods and duplicate the last finished payroll it had on record before services were completely restored in February 2022.
The workers’ lawsuit demanded $5 million but the settlement details were not revealed in last week’s filings.
Since the outage’s resolution, a number of lawsuits have been filed against UKG and employers who used its Kronos Private Cloud product alleging wage and hour violations.
In one July 2022 class and collective action filing, a former employee of West Virginia University Medical alleged that WVU Medical failed to pay employees for hours worked, including overtime hours, during the outage. Months prior, a New York City transit employee made similar allegations against the city’s Metropolitan Transit Authority in putative collective action. Pepsi and its employees recently settled similar claims for nearly $13 million.
The incident has led some observers to question the preparedness of HR vendors to defend themselves from targeted cyber crimes, as well as the potential for liability in the event of such attacks. Yet in previous interviews with HR Dive, organizations including UMass Memorial stated that they would not seek to split with UKG, with some stakeholders citing the vendor’s capabilities as a strength compared to alternatives.