$6 Million Settlement Proposed to Resolve UKG/Kronos Data Breach Lawsuit
UKG (Ultimate Kronos Group), a multinational provider of workforce management and human resources (HR) management services, has proposed a $6 million settlement to resolve claims related to a ransomware attack and data breach that was discovered in 2021. The breach affected several of its healthcare clients, including Allegheny Health Network, Highmark Health, Baptist Health, UF Health, Ascension, Shannon Medical Center, and Franciscan Missionaries of Our Lady Health System.
UKG was formed in 2020 when Ultimate Software acquired Kronos, a Lowell, MA-based workforce management and human capital management cloud provider. On December 11, 2021, suspicious activity was detected in the Kronos private cloud where UKG solutions were deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling. Those solutions were disrupted at a time when its healthcare provider clients were experiencing patient surges due to COVID-19 and flu, which left them unable to process employee paychecks for weeks. UKG also confirmed that the hackers exfiltrated sensitive data from the private cloud. The attack reportedly affected around 2,000 of its clients.
Legal action – In re: UKG Inc. Cybersecurity Litigation – was taken by the victims of the breach who alleged UKG had failed to implement reasonable and appropriate safeguards to protect against ransomware attacks, and if those measures had been taken, the ransomware attack would not have succeeded and millions of individuals would not have had their sensitive data compromised and had their paychecks delayed.
UKG chose to settle the lawsuit with no admission of wrongdoing. Under the terms of the proposed settlement, class members are entitled to submit claims of up to $1,000 for unreimbursed ordinary expenses, which include losses traceable to the data breach such as communication charges and bank fees but not lost wages, along with up to 4 hours of lost time at $25 per hour. Any individual that experienced identity theft or fraud can submit a claim for up to $7,500 to recover documented, unreimbursed extraordinary losses.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Members of two subclasses are entitled to additional payments. Individuals who were notified that their sensitive data was exfiltrated and were offered credit monitoring services are entitled to receive a payment of $100 in addition to any claims for ordinary and extraordinary losses. Individuals who were residents of California at the time of the attack will be entitled to receive an additional payment of $30 in addition to any claims submitted.
The deadline for exclusion from and objection to the settlement is September 18, 2023. The deadline for submitting claims is October 3, 2023. The final fairness hearing has been scheduled for November 17, 2023.
