Cyber Attack on HHS is a Reminder for Businesses to Remain Vigilant About Cybersecurity During the COVID-19 Pandemic


By: Renata Hoddinott

Amidst all the information and news flooding the internet regarding COVID-19, another troubling headline emerged this morning: an unknown actor launched a cyber attack on the Department of Health and Human Services (HHS) on Sunday. The attack was not a hack in the traditional sense, and no data was stolen from HHS’s systems. Rather it was an attempt to slow down HHS’s COVID-19 response by flooding the site with millions of requests over the course of several hours. It was a distributed denial of service – or DDOS – attack. The distinction is important because there was no apparent breach of the system of the lead agency responding to the coronavirus pandemic, and none of HHS’s critical functions were interrupted. HHS’s system was largely able to repel the intrusion, the agency was fully functioning at all times, and its site never crashed. But while the attack was unsuccessful, it is a harbinger of things to come and businesses should take note.
Most corporations and firms with the capability to do so have permitted, encouraged, or even mandated their employees to work from home for an extended amount of time to limit the spread of the virus. All of that remote access may be on potentially less secure networks should raise some concerns for those businesses. Bad actors will no doubt use the opportunity to gain access to less secure devices and networks to penetrate systems they may not have had access to previously due to the security in place for devices “in-house.”
Now is the time to remind remote employees to practice basic sense and security in ensuring they are only accessing company systems on private, password-protected networks. Employees also need to be watching for social engineering and phishing attacks. It may seem as though the email from the boss asking for password information or the firm’s credit card number is legitimate because employees do not have the ability to walk down the hall and ask.
And, for some smaller enterprises who may be new to remote-access, some systems may have been rolled out untested in certain circumstances to ensure business continuity. In those cases, it will be important to ensure that when restrictions are lifted and employees are able to return to work that those remote system are analyzed and secured from future threats.
This pandemic has unexpectedly and almost immediately changed the way business is conduct day-to-day around the globe. It remains to be seen whether those changes will be permanent. While most people are pulling together in this outbreak, malicious actors will always be looking for every opportunity to take advantage of the situation. During the period of social distancing and self-quarantining, individuals are desperate for up to the minute information on the crisis. Businesses need to be aware that attackers will attempt to exploit the human element now more than ever. And, as we all know, there is almost always a human element – whether an honest mistake or negligence – in most cybersecurity incidents.
In addition, FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.
You can also contact your FMG relationship partner or email the team with any questions at

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**