Question

CASE STUDY –MedQuipMedQuip, a company that specialises in the production of personalised medical equipment,was recently accused of failing to reasonably secure the Protected Health Information (PHI) and Personally Identifiable Information (PII) of its customers. Between June19 and July 12 2019, MedQuip’s network was breached, with the attacker stealing over a million PHI and PII records. A law enforcement investigation and forensic analysis of MedQuip’s network found that the attacker first penetrated the network through a third-party user’s computer. Due to weak segmentation between non-sensitive and sensitive parts of MedQuip network, the attacker was able to access and modifysensitive PHI and PII datafor the purpose of selling the data to MedQuip’s competitor. MedQuip’s InternalIT staff had stored sensitive data in an unencrypted format on unencryptedhard drives, making it easy for the attacker to access and steal sensitive data.This highlights a gap in knowledge with respect toappropriateITsecurity practicesand reveals MedQuip’s lack of understanding regarding the consequences of poor information security.It is estimated that the billing information of 9,000 customerswas compromised.While it is understood that MedQuip has a robust IT security policy based on industry regulations, it appears the policy hasn’t been enforced, making it possible for the breach to be successful. In a press conference discussing the incident, the IT director commented that while the company had an IT security policy in place to prevent such breaches, security controls defined inthe policy relating to data handlingand storagehadnot been implemented. Following furtherinternalinvestigations, the concerned employees could not be penalised asthe IT security policy didnotmeet certain criteria.

(a) According to the Australian Cybercrime Act, briefly discuss, with evidence from the MedQuip case study, the level of crime that was committed in this case.

(b) Which Information Privacy Principle was breached in this case

Answer 1

A.) According to Australian cybercrime act this case study depicts the highest level of crime that has been committed because of the fact that in absolute cybercrime act data breach is considered to be the highest level of cybercrime and year the data breach consists of millions of users of information and data breach was an international act of the attacker in order to steal the data so that they can gain the the data from the website and sell it to the other party which is a action of illegal practice and is considered to be the topmost level of cyber crime committed according to the Australian cybercrime act.

B.)the information privacy principles that was bridge in disaster case was that the organisation that is storing the information of the customers needs to to secure the data so that it is not accessible by anyone by making use of several securing protocols like encryption and hashing in order to sufficiently protect the data from unauthorised access and the company failed here because it store the data in unencrypted format and the tiger was able to easily gain the access to database and still the data. And the principal that was breached was the data security.