News

IT Admin Accused of Planting 'Logic Bomb'

• By The Associated Press
• December 20, 2006

If the so-called "logic bomb" had gone off at Medco Health Solutions Inc., it would have wiped out critical patient information, authorities said.

Even after surviving a round of layoffs, Yung-Hsun Lin, 50, kept the code in the system and tinkered with it in an attempt to set it off, prosecutors said. The bug eventually was discovered and neutralized by the company.

U.S. Attorney Christopher Christie said the bomb could have caused widespread financial damage to the company, and possibly harmed a large number of patients.

Among the targeted databases was one that tracked patient-specific drug interaction conflicts, prosecutors said. Before dispensing medication, pharmacists routinely examine that information to determine whether conflicts exist among a patient's prescribed medicines.

"The potential damage to Medco and the patients and physicians served by the company cannot be understated," Christie said. "A malicious program like this can bring a company's operations to a grinding halt and cause millions of dollars in damage from lost data, system downtime, recovery and repair."

Lin was arrested at his home Tuesday morning by FBI agents, and was to appear before a federal magistrate Tuesday afternoon. His arraignment is scheduled for Jan. 3. He is charged with two counts of computer fraud.

His lawyer, Raymond Wong, said Lin denies introducing any malicious programming into the computer system. Wong said his client would have known that such an action could be quickly linked to him.

"He is an administrator; if something happened, it could be traced back," said Wong, who added Lin has years of "excellent performance reviews."

Medco spokeswoman Soraya Balzac said the arrest "sends a strong message that there is zero tolerance for this type of conduct."

The indictment alleges that Lin, who worked in the company's Fair Lawn office, planted the computer bomb in Medco's servers. It would have wiped out critical data stored on more than 70 servers, according to Assistant U.S. Attorney Erez Lieberman. He could not estimate how many patients could have been affected.

In addition to the drug-interaction information, other data on the targeted servers included patients' clinical analyses, rebate applications, billing and managed-care processing.

Prosecutors said that when Franklin Lakes-based Medco was spun off from Merck & Co. in 2003, Lin feared that layoffs would affect him.

Authorities said that on Oct. 3, 2003, Lin created the bomb designed to delete virtually all data from the 70 targeted servers by modifying existing computer code and adding new code. It allegedly was set to detonate automatically on April 23, 2004 -- his birthday.

Due to a programming error, it didn't go off. Even after surviving a round of layoffs, prosecutors said, Lin modified the bomb's code to have it detonate on his next birthday. But the company found and disabled it before it could cause any damage.

Last week, a former UBS PaineWebber systems administrator in New Jersey was sentenced to eight years and one month in prison for attempting to profit by detonating a logic-bomb program that caused millions of dollars in damage to the brokerage's computer network in 2002. The ex-employee, Roger Duronio, also was ordered to pay $3.1 million in restitution to his former employer, now known as UBS Financial Services Inc., part of the Swiss banking company UBS AG.