A winter ransomware attack has caused Franciscan Health to require employees to pay back wage overpayments made when it lost access to the software of its payroll vendor, Kronos.

Some hourly workers, such as nurses and housekeepers, are being billed hundreds of dollars and told the money will be withheld from future paychecks if they do not repay it in coming months. The overpayments took place in December and January, with workers already having paid taxes on the income they received in 2021.

“When faced with the unexpected Kronos vendor outage, which was wholly outside of Franciscan’s control, Franciscan reacted quickly and worked hard to pay coworkers as accurately as possible, given the circumstances," a Franciscan spokesperson said. "During this period, our best recourse was to pay most types of compensation based on hours worked and to ensure no interruption in coworker paychecks. Franciscan’s inability to access the Kronos system resulted in some coworkers receiving over- or under-payments."

Some hourly workers reported being asked to repay thousands of dollars, but the issue did not affect everyone at the Mishawaka-based health care system, which operates hospitals in Hammond, Munster, Dyer, Crown Point and Michigan City, as well as medical offices throughout the Region.

"Franciscan has worked to reconcile any discrepancies with the impacted coworkers and continues to do so," the spokesperson said. "The employees who were underpaid have already been made whole. Overpayments averaged around $350, and those affected are being provided repayment options over the next several months to ease any burden.”

Ultimate Kronos Group provides payroll software to companies such as Franciscan Health, YMCA, GameStop and Whole Foods, letting employers manage time sheets, payroll, absence requests, scheduling and other workforce management tasks through a cloud platform. Its system was taken hostage in December by a ransomware attack, where hackers hijack a computer system after infecting it with a virus, often downloaded unsuspectingly from a phishing email. The hackers demand a ransom and refuse to release the system unless it is paid.