By Sharon Gaudin
Dec 19, 2006
A former systems administrator for Medco Health Solutions was arrested
Tuesday and charged with trying to take down a computer network that
maintained customer health care information.
Another systems administrator at the company discovered the malicious
code, or logic bomb, before it went off. If it had been detonated,
prosecutors say it would have eliminated pharmacists' ability to know if
a new prescription would dangerously interact with a patient's current
prescriptions. They also say it would have caused widespread financial
damages to the company.
Yung-Hsun Lin, 50, of Montville, N.J., was indicted by a federal grand
jury on Monday and was arrested at his home this morning by the FBI. He
is being charged with two counts of computer fraud. If convicted, he
could face 20 years in prison and a fine of $500,000 -- $250,000 for
The systems administrator had access to the company's HP-Unix computer
system that was made up of about 70 servers. The network handled Medco's
billing information, corporate financial information, and employee
payroll input, as well as the Drug Utilization Review, a
patient-specific drug interaction conflict database.
"The potential impact, had it gone off, would have been devastating. And
more so, it would have been devastating to patients," says Assistant
U.S. Attorney Erez Lieberman, who is prosecuting the case, along with
Assistant U.S. Attorney Marc Ferzan. "Taking a logic bomb and putting it
in a system where it could not just cause financial harm but could also
harm databases, which he knows and administers, that affect patient drug
information, adds to the enormity of the situation. The impact obviously
could affect real lives, real time."
This arrest comes just a week after Roger Duronio, 64, of Bogota, N.J.,
received the maximum sentence of eight years in prison for building,
planting, and disseminating a logic bomb at his former employer, UBS
PaineWebber. Prosecutors from the same U.S. Attorney's Office in Newark
handled that case as well. Six years ago, they also prosecuted the very
first computer sabotage case. Tim Lloyd was found guilty in 2000 of
planting a logic bomb that took down the network he helped to build at
According to the indictment, Lin, who is known as Andy Lin, created the
malicious code early on Oct. 3, 2003, just days before a planned layoff
was due to happen. Medco had just spun off from Merck & Co. and was
going through a restructuring. The Medco Unix group was merging with the
e-commerce group to form a corporate Unix group, the government reports.
Several systems administrators were laid off on Oct. 6. Lin was not one
The indictment points out that the month before the layoffs were made,
Lin sent out e-mails discussing the anticipated layoffs. In one e-mail,
he indicated he was unsure whether he would survive the downsizing,
according to government documents.
The logic bomb was set to automatically deploy on April 23, 2004, which
was Lin's birthday. The code was triggered that day, prosecutors report,
but it failed to take down the servers because of a coding error. The
government says Lin later modified the code in September of 2004,
correcting the error and resetting it to go off on April 23, 2005.
Another systems administrator kept that from happening, though.
On Jan. 1, 2005, one of Lin's fellow IT workers was investigating a
system error and discovered the malicious code embedded with other
scripts on the Medco servers. The company's IT security team
"neutralized" the code.
Lin is expected to make an initial court appearance in U.S. District
Court in Newark, N.J., today. He is set to be arraigned on Jan. 3. The
case has been investigated by the FBI.
Subscribe to InfoSec News