It’s a measure of the sorry state of U.S. media that one of the most devastating ransomware attacks of all time has received virtually no coverage. Millions of workers, including frontline hospital, police, and firefighters, know what I’m talking about.
On December 13, Ultimate Kronos Group (UKG) disclosed that it was the victim of an ongoing ransomware attack impacting its Kronos Private Cloud, which hosts the workforce management software most widely used by U.S. corporations, municipalities, and public entities. The company said it could take several weeks to restore its service, and it was true to its word. Kronos’ systems are still down.
The upshot: Thousands of organizations can’t track their employees’ time and accurately process their payrolls, resulting in missed or miscalculated paychecks with significant underpayments.
This might come as a surprise to the Biden Administration and its media enablers, but millions of Americans live paycheck-to-paycheck, often working multiple jobs to make ends meet. The delay of a paycheck or one reflecting an underpayment, can be devastating. In addition to being unable to buy groceries, gas, and other necessities whose prices have surged because of inflation, the delayed income can result in late payments for rent, car, and other critical bills that impact one’s credit rating. People living hand-to-mouth often don’t have good credit ratings to begin with, so a late payment can impair their ratings further, causing them to pay even higher rates of interest.
It’s unlikely the overseas operators manning the call centers for U.S. banks and credit rating agencies can be made to understand the situation, let alone make allowances for it.
The Kronos breach has impacted a large number of municipalities and public entities across the country, including the New York Metropolitan Transportation Authority, the City of Cleveland, the state of West Virginia, the Oregon Department of Transportation, the University of California system, and Honolulu’s EMS and Board of Water Supply. According to Fitch Ratings, the actual number could be “much larger” than is publicly known.
Corporations publicly known to be impacted include FedEx, Whole Foods, and PepsiCo.
Hospitals are particularly hard hit, as Kronos’ Healthcare Extensions platform has significant market share. At Beaumont Health in Michigan, I’m told frontline workers must spend hours trying to calculate their hours and wages owed while the hospital system is overrun with covid patients. Healthcare and IT trades have reported how the Kronos hack has impacted other U.S. hospitals, including Health IT Security and HIPAA Journal.
The Kronos hack serves as yet another reminder of U.S. healthcare’s dangerous vulnerabilities to hacks, which are routinely interrupting hospital operations and adversely impacting patient care. Healthcare accounts for nearly 79 percent of all IT reported breaches. A cybersecurity expert tells me that it’s widely believed that China possesses 80 percent or more of Americans’ healthcare information.
More than one in three health care organizations globally reported being hit by ransomware in 2020, according to a survey commissioned by Sophos, a cybersecurity firm. Alarmingly, the sector experienced a 45 percent uptick in ransomware attacks since November 2020. My cybersecurity source tells me that breaches are far more extensive than reported because healthcare IT systems are so porous hospitals often don’t know when they’ve been hacked.
As I noted in a recent post, it’s estimated that more than 60 percent of hospitals rely on Alaris infusion pumps, including 152 VA hospitals. The infusion pumps have been subject to more than a dozen FDA recalls, including some identified as “Class 1,” meaning they involve risk of death or injury. The Department of Homeland Security last year issued an alert warning the Alaris pumps are highly vulnerable to cybersecurity breaches. A hacker accessing a drug pump can kill patients by altering the prescribed doses of medicines or simply shutting down the machines.
As I understand it, a hacker could potentially bring the entire U.S. hospital system to a standstill, yet Congress doesn’t appear to understand the severity of the threat, let alone doing something about it. The Department of Homeland Security in 2018 created the Cybersecurity and Infrastructure Security Agency (CISA), but security breaches have risen dramatically since the group’s formation. Curbing IT breaches, like curbing the pandemic, isn’t the U.S. government’s strong suit.
Companies that miss payroll and shortchange employees on their paychecks should face penalties. And the credit rating agencies should face penalties if they ding someone’s credit rating because the person missed or was shortchanged on a paycheck. When things go awry, its corporate managements, not employees, who should face the consequences. That would provide an incentive to bolster cybersecurity defenses.
Take a bow Becky Sullivan of NPR for being among the few national media reporters understanding and reporting the devastating impact of the Kronos hack.