By Sharon Gaudin
September 19, 2007
A former systems administrator at Medco Health Solutions pleaded guilty
in federal court Wednesday to writing and planting malicious code that
could have crippled a network that maintains customer health care
Yung-Hsun Lin, of Montville, N.J., pleaded guilty in U.S. District Court
in Newark, N.J. to the charge of transmitting code that would cause
damage to a protected computer. The charge carries a maximum sentence of
10 years, but the plea deal sets a guideline of 30 to 37 months. The
judge, who will levy the sentence on Jan. 8, is not bound to the
"Had this gone off, the damage to Medco's reputation could have been
catastrophic," Assistant U.S. Attorney Erez Liebermann told
InformationWeek. "I look at this as one of the most significant
[computer sabotage] cases because it could have done more than financial
Lin admitted to creating and planting the malicious code, or logic bomb,
on Medco's computer network because he feared he would lose his job in
an expected round of layoffs. Another systems administrator at the
company, however, foiled his plan when he discovered the logic bomb
before it went off.
If it had been detonated, prosecutors say the code would have eliminated
pharmacists' ability to know if a new prescription would dangerously
interact with a patient's current prescriptions. They also say it would
have caused widespread financial damages to the company. Even though it
didn't go off, Medco reported that it cost them between $70,000 and
$120,000 to clean up the problem.
"What this individual did was severely threaten a critical
infrastructure -- healthcare," said Liebermann. "The only way to make
sure all the drugs you've received don't conflict is to have something
like Medco doing an across-the-board check. ... This could have led to
the damage of people trying to get their prescriptions filled. It's a
new level of risk. It's not just a financial crime. It could have
damaged life and limb. It shows the impact of cyber crime."
Lin, who is known as Andy Lin, had access to the company's network of
about 70 HP (HP) Unix servers, according to the indictment. The network
handled Medco's billing, corporate financial, and employee payroll
information, as well as the Drug Utilization Review, a database of
patient-specific information on conflicting drug interactions.
Lin, created the logic bomb early on Oct. 3, 2003, just days before a
planned layoff was due to happen. Medco had just spun off from Merck &
Co. and was going through a restructuring. The Medco Unix group was
merging with the e-commerce group to form a corporate Unix group, the
Several systems administrators were laid off on Oct. 6. Lin was not one
The indictment pointed out that the month before the layoffs were made,
Lin sent out e-mails discussing the anticipated layoffs. In one e-mail,
he indicated he was unsure whether he would survive the downsizing,
according to government documents.
The logic bomb was set to automatically deploy on April 23, 2004, which
was Lin's birthday. The code was triggered that day, prosecutors report,
but it failed to take down the servers because of a coding error. The
government says Lin later modified the code in September of 2004,
correcting the error and resetting it to go off on April 23, 2005.
Lin told the court he retriggered the logic bomb because of continued
pressure from the layoffs.
Liebermann said Lin designed the logic bomb so it would shut off access
to other administrators while it was running. He also changed the time
date on each file so if anyone found the code, it would look like it was
created and modified at different times and on different days -- maybe
not correlating to times that he was on the system.
"It was very clever, though he couldn't change the backup logs that
showed otherwise," said Liebermann.
Soraya Balzac, a spokeswoman for Medco, pointed out in an interview that
the company detected and neutralized the threat. "As a company, we're
vigilant in protecting our systems and data," she added. "We view the
defendant's guilty plea and expected high sentence as a strong message
that there is zero tolerance for this type of conduct -- any threat to
Liebermann praised Medco for contacting and working with law enforcement
in this case. "This represents a successful partnership between private
industry and law enforcement, and we need more such partnerships if we
are to successfully deter and prosecute these saboteurs."
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com