A national assisted living and memory care operator has lost its lawsuit against a payroll vendor over the 2021 Kronos ransomware attack. A judge dismissed the case last week, pointing to a contract the parties signed noting the possibility of service outages.
Aegis Living, referred to as Aegis Senior Communities in the suit, did not show that UKG, a subsidiary of Kronos that provided timekeeping and payroll operations support to Aegis, committed gross negligence and fraud, according to a ruling from US District Court Judge Araceli Martinez-Olguin.
Martinez-Olguin granted UKG’s motion to dismiss Aegis’ lawsuit with prejudice (permanently), noting that a contract that both parties signed outlined service credits as the “sole and exclusive remedy” for service outages. The contract also waived indirect and consequential damages and limited the scope of indemnification for which Kronos could be held responsible.
In December 2021, Kronos was targeted in a criminal ransomware attack, which caused a temporary service outage. The data breach resulted in the loss of all timekeeping and payroll services for almost six weeks. For Aegis Living, that outage led to a failure to properly pay employees, which led to two wage and hour class action lawsuits against the provider.
Aegis Livingoriginally filed its case against UKG in 2023, but it was dismissed shortly afterward. Aegis was allowed to amend its complaint, which accused UKG of gross negligence, fraudulent misrepresentation, negligent misrepresentation and violations of the California Unfair Competition Law. The provider alleged that UKG was grossly negligent by failing to prevent or appropriately respond to the ransomware attack.
Martinez-Olguin ruled that Aegis Living did not establish that it suffered harm beyond purely economic losses, particularly in light of the contract and the limitation of associated damage. The court further ruled that Aegis did not sufficiently make the case for misrepresentation, relying on “vague references to marketing materials and unsupported deductions that UKG must have failed to meet promised safety standards.”
“Aegis could not reasonably rely on its assumption that ransomware attacks and service outages would not occur given the contract it negotiated, which expressly considered those possibilities,” the judge wrote in her opinion. “UKG made no promises that were violated by the ransomware attack.”
Aegis Living had not responded to a request for comment from McKnight’s Senior Living as of the production deadline.
