X

IT worker indicted in hacking scheme at health firm

Prosecutors say malicious code, if activated, would have wiped out databases of prescription information, potentially harming patients.

Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
See full bio
Anne Broache
2 min read
A systems administrator who apparently feared imminent layoffs was arrested Tuesday in connection with installing "destructive computer code" on servers at his company, a major manager of prescription benefit plans.

FBI agents arrested Yung-Hsun "Andy" Lin, 50, at his Montville, N.J., home on Tuesday morning, one day after a grand jury returned a two-count indictment (PDF) against him.

The indictment accuses Lin of planting a "logic bomb" sometime around October 2003 that, if activated successfully, would have deleted "virtually all information" on more than 70 HP-Unix servers at Medco Health Solutions and wreaked havoc on the business and its users.

The servers contained numerous applications and databases that managed bills, rebates, new prescription call-ins from doctors, insurance coverage, and clinical assessments of patients. One database that received special attention in the indictment, known as the Drug Utilization Review, was designed to allow pharmacists to see what drugs patients were already taking so that they could determine whether taking different medicines simultaneously was safe.

"The potential damage to Medco and the patients and physicians served by the company cannot be understated," Christopher Christie, U.S. attorney for the New Jersey district, said in a statement.

According to the indictment, the alleged criminal activity started just after Medco, once a wholly owned subsidiary of Merck & Co., became a publicly traded company in August 2003. During the month that followed, Lin and others exchanged e-mails in which they voiced concerns about possible layoffs in their department. While Lin ultimately kept his job, four fellow systems administrators lost theirs.

Lin allegedly programmed the so-called bomb to do its work on April 23, 2004--his birthday--but because of a coding error, it failed to detonate. He later modified the coding so that it would deploy on April 23, 2005, but another computer administrator happened to stumble upon the program in January 2005 and "neutralized" it, the indictment said.

The New Jersey district has made three such prosecutions in five years, according to a press release. Just last week, 63-year-old Roger Duronio, a former systems administrator for UBS PaineWebber, landed a 97-month prison sentence after being convicted of placing malicious code on some 1,000 corporate computers, triggering more than $3 million in damage.

In 2002, Timothy Allen Lloyd was sentenced to 41 months in prison after a Newark, N.J., jury convicted him of devising a "time bomb" that deleted programs on servers at the high-tech measurement company Omega Engineering. Prosecutors said that activity, which occurred 20 days after Lloyd's departure from the company, cost the company $10 million.