Prosecutors: Medco 'Bomber' Would Have Wreaked Havoc

Former systems administrator, charged with planting a logic bomb on prescription manager's network, pleads not guilty in federal court

By Sharon Gaudin
InformationWeek

Jan 6, 2007 12:00 AM (From the January 8, 2007 issue)

A former systems administrator at Medco Health Solutions is being charged for allegedly writing and planting malicious code that could have crippled a network that maintained health care information on customers. A co-worker found the so-called logic bomb before it went off.

Yung-Hsun Lin, 50, of Montville, N.J., pleaded not guilty on Jan. 3 to two counts of computer fraud. If convicted, he could face 20 years in prison and a fine of $500,000, $250,000 for each charge.

Had the logic bomb gone off, prosecutors say, it would have eliminated pharmacists' ability to know whether Medco customers' new prescriptions would interact dangerously with their current prescriptions. It also would have damaged the company financially, they say.

Lin, who is known as Andy Lin, had access to the company's network of about 70 HP Unix servers, according to the indictment. The network handled Medco's billing, corporate financial, and employee payroll information, as well as the Drug Utilization Review, a database of patient-specific information on conflicting drug interactions.

"The potential impact, had it gone off, would have been devastating. And more so, it would have been devastating to patients," said Assistant U.S. Attorney Erez Lieberman in an interview. "Taking a logic bomb and putting it in a system where it could not just cause financial harm but could also harm databases, which he knows and administers, that affect patient drug information adds to the enormity of the situation." Lieberman will prosecute the case, along with Assistant U.S. Attorney Marc Ferzan, in U.S. District Court in Newark, N.J.

According to the indictment, Lin created the malicious code early on Oct. 3, 2003, just days before a planned layoff. Medco, which had just been spun off from Merck & Co., was going through a restructuring. The Medco Unix group was merging with the e-commerce group to form a corporate Unix group, the government says.

Several systems administrators were laid off on Oct. 6. Lin was not one of them.

The indictment points out that during the month before the layoffs were made, Lin sent out e-mails discussing the anticipated layoffs. In one message, he indicated he was unsure whether he would survive the downsizing, according to government documents.

The logic bomb was set to deploy on April 23, 2004, Lin's birthday. But it failed to take down the servers that day, prosecutors say, because of a coding error. Lin allegedly modified the code in September 2004, resetting it to go off on April 23, 2005.

However, on Jan. 1, 2005, an unidentified co-worker investigating a system error discovered the malicious code embedded with other scripts on the Medco servers. The company's IT security team "neutralized" the code, the government says.

PERSISTENT TREND

Lin's arrest last month came just a week after Roger Duronio, 64, of Bogota, N.J., received the maximum sentence of eight years and one month in prison for building and disseminating a logic bomb at his former employer, UBS PaineWebber. Prosecutors from the U.S. Attorney's Office in Newark also handled that case, and six years ago they prosecuted the very first computer sabotage case. Tim Lloyd was found guilty in 2000 of planting a logic bomb that took down the network he helped build at Omega Engineering.

A trial date has not been set for Lin, who is free on bail. In a previous court appearance, Lin's attorney said the government's case was based on a bias against Asians. That attorney is no longer representing Lin, and his new attorney, Kevin Marino of Marino & Associates, says he has "no reason to suspect a bias of any kind."