We’ve been away for a few days celebrating Fallon’s fifth birthday in Orlando where the preferred destination has shifted from Disney to Universal Studios, source of all things Harry Potter. While we were away, IBM celebrated its 100th birthday by claiming, among other things, to have invented the personal computer, soiling the legacy of Ed Roberts and pissing-off all real geeks in the process. Here’s a video in which you’ll see IBM’s VP of Innovation innovating his way to this completely bogus claim at the 2:37 milepost.
This sin shall not go unpunished.
Among his milestones IBM’s VP of Innovation completely forgets to mention the company having helped automate the Third Reich.
And while IBM was celebrating other noteworthy achievements, a reader pointed out to me what he thought was an IBM data breach:
“My wife and I are Health Net customers. A month or so ago we received a letter from Health Net saying that their contractor, IBM, had been hacked and that our medical records including SS# had been stolen… You can imagine how I feel about it. I’m in favor of the bin Laden treatment for the hackers and serious bitch slapping for everyone else concerned, from the pointy haired managers to the OS pukes who have refused to create secure systems despite knowing how to do it. The people who have resisted IPv6, which provides authentication, over the last decade are another good target for serious bitch slapping. Someone said that the primary reason the computer industry advances is ridicule of second rate technology. Ridicule of insecure systems and networks is desperately needed.”
To be fair to Big Blue, it appears their system wasn’t hacked in the manner we’ve been discussing lately and IPv6 had nothing to do with it. Rather, in March IBM discovered nine disk drives were physically missing from the Health Net data center it runs in Rancho Cordova, CA. The drives contained personal and health data on 1.9 million of Health Net’s six million customers.
We’ve grown so unsensitized to these data losses that 1.9 million doesn’t seem a very big number anymore. And this particular data loss, since it doesn’t involve some invisible hand reaching through the wire, seems somehow less invasive. That surely must have been the way Health Net felt about it, given this particularly callous sentence from their press release about the loss: “While the investigation continues, Health Net has made the decision out of an abundance of caution to notify the individuals whose information is on the drives.”
Doesn’t this imply that Health Net believes that informing us of the loss of our medical data is optional?
Time for all you HIPAA lawyers out there to tell us what right we have to know when our personal health data has been stolen. Was Health Net just trying to spin this story in a smarmy direction or do they actually have no obligation to tell us?
As for IBM, this loss happened on their watch so what did they do about it? HealthNet outsourced its IT to IBM. IBM outsourcing involves a long check list of things to do to each server to lock it down and make it easier to support. IBM techs install support tools like antivirus and backup. Since they inherit network and application designs from the customer, IBM doesn’t guarantee they are hack proof.
Did you know that? I didn’t.
IBM tries to find problems, I’m told, bring them to everyone’s attention and they try to fix them. Sometimes a problem can’t be fixed or won’t be fixed in which case IBM writes a “risk letter” documenting Big Blue’s concerns and the business risks to the customer.
That’s what is supposed to happen. What really happens is usually a bit different. These days most IBM contracts are under funded to the point of being irresponsible. There may not be time or funding to do basics like securing the servers. With offshoring on top of outsourcing, very inexperienced people in foreign locations are doing much of the support work remotely.
But you can’t blame the physical theft of nine disk drives in Rancho Cordova on an entry-level support guy in Pakistan. This story appeared in Computerworld back in March and then quickly disappeared. I’d like to know what the Hell happened? Wouldn’t you?
As far as I can tell IBM never said a word on the subject.