Medco Sys Admin Pleads Guilty To Computer Sabotage
New Jersey man tells the court he planted the logic bomb on the prescription manager's network when he suspected he was going to be laid off.
A former systems administrator at Medco Health Solutions pleaded guilty in federal court Wednesday to writing and planting malicious code that could have crippled a network that maintains customer health care information.
Yung-Hsun Lin, of Montville, N.J., pleaded guilty in U.S. District Court in Newark, N.J. to the charge of transmitting code that would cause damage to a protected computer. The charge carries a maximum sentence of 10 years, but the plea deal sets a guideline of 30 to 37 months. The judge, who will levy the sentence on Jan. 8, is not bound to the guidelines.
"Had this gone off, the damage to Medco's reputation could have been catastrophic," Assistant U.S. Attorney Erez Liebermann told InformationWeek. "I look at this as one of the most significant [computer sabotage] cases because it could have done more than financial damage."
Lin admitted to creating and planting the malicious code, or logic bomb, on Medco's computer network because he feared he would lose his job in an expected round of layoffs. Another systems administrator at the company, however, foiled his plan when he discovered the logic bomb before it went off.
If it had been detonated, prosecutors say the code would have eliminated pharmacists' ability to know if a new prescription would dangerously interact with a patient's current prescriptions. They also say it would have caused widespread financial damages to the company. Even though it didn't go off, Medco reported that it cost them between $70,000 and $120,000 to clean up the problem.
"What this individual did was severely threaten a critical infrastructure -- healthcare," said Liebermann. "The only way to make sure all the drugs you've received don't conflict is to have something like Medco doing an across-the-board check. ... This could have led to the damage of people trying to get their prescriptions filled. It's a new level of risk. It's not just a financial crime. It could have damaged life and limb. It shows the impact of cyber crime."
Lin, who is known as Andy Lin, had access to the company's network of about 70 HP Unix servers, according to the indictment. The network handled Medco's billing, corporate financial, and employee payroll information, as well as the Drug Utilization Review, a database of patient-specific information on conflicting drug interactions.
Lin, created the logic bomb early on Oct. 3, 2003, just days before a planned layoff was due to happen. Medco had just spun off from Merck & Co. and was going through a restructuring. The Medco Unix group was merging with the e-commerce group to form a corporate Unix group, the government reported.
Several systems administrators were laid off on Oct. 6. Lin was not one of them.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.