News

Feds: NJ Worker Put 'Bomb' in Computers

Systems administrator alleged to have planted logic bomb that could have wiped out critical patient data.

• By The Associated Press
• December 19, 2006

Even after surviving a round of layoffs, Yung-Hsun Lin, 50, of Montvale kept the code in the system and tinkered with it in an attempt to set it off, prosecutors said. The bug eventually was discovered and neutralized by the company.

U.S. Attorney Christopher Christie said the bomb could have caused widespread financial damage to the company, and possibly harmed a large number of patients.

"The potential damage to Medco and the patients and physicians served by the company cannot be understated," Christie said. "A malicious program like this can bring a company's operations to a grinding halt and cause millions of dollars in damage from lost data, system downtime, recovery and repair."

Lin was arrested at his home Tuesday morning by FBI agents, and was to appear before a federal magistrate Tuesday afternoon. His arraignment is scheduled for Jan. 3.

His lawyer, Raymond Wong, had no immediate comment on the case.

A call seeking comment from Medco was not immediately returned.

The indictment alleges that Lin, who worked in the company's Fair Lawn office, planted the computer bomb in Medco's servers. It would have wiped out critical data stored on more than 70 servers, according to Assistant U.S. Attorney Erez Lieberman. He could not estimate how many patients could have been affected.

Among the targeted databases was one that tracked patient-specific drug interaction conflicts.

Before dispensing medication, pharmacists routinely examine the information contained in the database to determine whether conflicts exist between a patient's prescribed drugs.

Other data on the targeted servers included patients' clinical analyses, rebate applications, billing and managed-care processing.

Prosecutors said that when Franklin Lakes-based Medco was spun off from Merck & Co. in 2003, Lin feared that layoffs may affect him.

Authorities said that on Oct. 3, 2003, Lin created the bomb designed to delete virtually all data from 70 targeted servers by modifying existing computer code and adding new code. It was set detonate automatically on April 23, 2004 -- his birthday.

But due to a programming error, it didn't go off. Even after surviving a round of layoffs, prosecutors said, Lin modified the bomb's code to have it detonate on his next birthday. But the company found and disabled it before it could cause any damage.

Lin is charged with two counts of fraud related to activity in connection with computers. One is for exceeding authorized access with intent to cause damage in excess of $5,000; the other is for the impairment, or potential impairment, of the medical examination, diagnosis, treatment or medical care of one or more individuals.

Last week, a former UBS PaineWebber systems administrator in New Jersey was sentenced to eight years and one month in prison for attempting to profit by detonating a "logic bomb" program that caused millions of dollars in damage to the brokerage's computer network in 2002.

Roger Duronio also was ordered to pay $3.1 million in restitution to his former employer, now known as UBS Financial Services Inc., part of the Swiss banking company UBS AG.