'Rogue' Medco Programmer Gets 30-Month Jail Term

January 9, 2008 (PLANSPONSOR.com) - A federal judge in New Jersey has sentenced a former computer systems analyst to a 30-month jail term for installing a computer code "logic bomb" on the computer systems of pharmacy benefits manager Medco Health Systems.

A news release from U.S. Attorney Christopher J. Christie said U.S. District Judge Jose L. Linares of the U.S. District Court for the District of New Jersey handed down the sentence to Yung-Hsun Lin, 51, of Montville, New Jersey.Christie said Lin’s sentence was the longest such federal court punishment meted out for attempting to damage a computer system.

Authorities charged that Lin’s efforts were designed to wipe out important client data stores on more than 70 Medco servers. Linares also slapped Lin with an $81,200 fine which Lin must pay as restitution to Medco.

According to the announcement, Lin admitted his code was aimed at becoming active on his birthday – April 23. Lin confessed that he first created the malicious computer code in October 2003, when Medco was being spun off from Merck & Co., and he was afraid he may get laid off.

On Oct. 2, 2003, Lin created the logic bomb by modifying existing computer code and inserting new code into Medco’s servers. Lin kept the logic bomb in place after it failed to deploy on April 23, 2004 and renewed it to deploy on April 23, 2005.

Christie praised Medco for bringing the case to the government quickly for investigation and prosecution. “That is the kind of cooperation we need and appreciate from private industry,” said Christie, in the announcement. “Disgruntled or rogue employees are a real threat to corporate technology infrastructures and can cause extensive damage. The results of this prosecution send a message to systems administrators and employees; and industry should feel comfortable and confident in coming to us when just such cases arise.”

Among the databases operated from the affected servers was a critical one maintained and updated regularly by Medco – a patient-specific drug interaction conflict database known as the Drug Utilization Review (DUR). Before dispensing medication, pharmacists routinely examined the information contained in the DUR to determine whether conflicts existed between or among an individual’s prescribed drugs.

Medco servers targeted by the logic bomb contained applications relating to clients’ clinical analyses, rebate applications, billing, and managed care processing.

Further, the servers handled new prescription call-ins from doctors and coverage determination applications, as well as numerous internal Medco applications, including the corporate financials, pharmacy maintenance tracking, web and pharmacy statistics reporting, and the employee payroll input, the announcement said.