About 680 nurses and 50 tech workers at St. Charles Health System have signed a petition asking for an independent audit after learning that some had been overpaid in a ransomware attack on the health system’s third-party payroll company.

The payroll provider, Ultimate Kronos Group, says that on March 4, it concluded its investigation and discovered St. Charles Health System was not among the two companies that had its data compromised by the ransomware, said Evan Roberts, a spokesman for the company. The ransomware affected about 4% of Kronos’s customers and all were restored, including payroll, scheduling and payroll capabilities, by Jan. 22, according to info on the company’s website.

It is unclear how the ransomware affected employees trying to log in their hours and schedules on the Kronos platform.

St. Charles is the largest employer in Central Oregon, with about 4,500 employees.

St. Charles did not return calls or emails from The Bulletin.

The petition signed by members of the Oregon Nurses Association and the Oregon Federation of Nurses and Health Professions, states that workers will not agree to any repayment of the estimated $2 million overpaid unless there is an audit to prove that the overpayments occurred.

The health system gave employees until Monday to sign up for repayment plans after verifying the amounts, but the labor unions representing the workers are urging workers not to agree.

“Staff are furious,” said Joel Hernandez, a registered nurse at St. Charles Bend and vice president of the Oregon Nurses Association board of directors, in a prepared statement. “We are hearing from workers who got a check in March because St. Charles said they were underpaid. Those same staff are now hearing from St. Charles that, in fact, those payments were also wrong and the nurses have to pay those funds back.”

The unions have filed a complaint with the Oregon Bureau of Labor & Industries, said Scott Palmer, Oregon Nurses Association director of communications. The union plans to hand the petition to the health system next week, Palmer said. The petition is the second action the unions have filed since learning of the demand for repayment from the health system. The first was a cease and desist letter outlining how docking staff pay is illegal and could lead to civil penalties, Palmer said.

“St. Charles should think very, very carefully their next steps here,” Palmer said. “We continue to explore all available means of preventing St. Charles form forcing staff to repay these alleged overpayments, including potential legal action.”

The payroll issues come at a time when the health system has reported it is $40 million in the red due to rising costs, and lower income. In May it laid off more than 100 staffers, had its CEO step down to an advisory position and laid off its chief physician executive.

Since there was a ransomware attack, the health system and the payroll company should be proactive and provide employees with credit monitoring just in case their payroll information involved in the ransomware was used improperly, said Eric Magidson, Central Oregon Community College professor of network and cybersecurity.

“I feel an employer, with the proper proof that employees were overpaid for work they did not perform, could seek reimbursement for these expenses,” Magidson said. “Given that the root cause of these errors is indicated to be the result of the payroll vendor, Kronos, being hit with ransomware then responsibility for reimbursement begins with them.”