Facing a possible layoff from his job as an IT systems administrator, a 50-year-old US resident was charged Tuesday with planting malicious "logic bomb" code into the company systems where he worked that could have damaged more than 70 servers.
In a five-page indictment, Yung-Hsun Lin, also known as Andy Lin, 50, of Montville, New Jersey., was charged with two counts of intending to cause fraudulent, unauthorized changes to computer systems in violation of U.S. laws. Each count is punishable by up to 10 years in prison and up to a US$250,000 fine. A federal grand jury handed down the indictment.
Lin was arrested Tuesday by FBI agents and made an initial appearance before a federal magistrate. He is scheduled for arraignment on the indictment on Jan. 3.
In a statement, U.S. Attorney Christopher J. Christie in Newark alleged that Lin planted the logic bomb in HP Unix servers at Medco Health Solutions Inc. The bomb could have destroyed critical customer prescription data, payroll information and other records stored on more than 70 servers used by the Franklin Lakes, N.J.-based company.
Lin, who worked in Medco's Fair Lawn offices, apparently inserted the logic bomb into Medco's IT systems in October 2003 because he feared losing his job. Lin learned that his IT group was being merged with another group inside the company after it was spun off from pharmaceutical company Merck & Co., according to the indictment.
Instead, Lin was spared a layoff while four colleagues lost their jobs, according to the U.S. attorney's statement.
The government alleges that Lin then modified the inserted logic bomb code in November 2003, but that it was still scheduled to deploy on his birthday on April 23, 2004. Due to an error in the code, however, it didn't deploy as scheduled. In September 2004, Lin allegedly corrected the code error and changed the deployment date to April 23, 2005.
The plot was foiled, according to the government, when another Medco systems administrator, who was looking into an unrelated systems error, found the destructive code embedded within the systems scripts.
The administrator notified company security staffers, who removed the logic bomb in January 2005.
"The potential damage to Medco and the patients and physicians served by the company cannot be understated," Christie said in a statement. "A malicious program like this can bring a company's operations to a grinding halt and cause millions of dollars in damage from lost data, system downtime, recovery and repair."
"Companies and law enforcement must be extremely vigilant to guard against disgruntled employees with the knowledge and position to wreak such havoc," he said.
The servers Lin allegedly targeted contained several key company databases, including a critical patient-specific drug interaction conflict database known as the Drug Utilization Review (DUR). Pharmacists use the DUR before dispensing medication to determine whether there could be unsafe interactions between a patient's prescribed drugs.
Also included in the target were servers containing applications relating to clients' clinical analyses, rebate applications, billing and managed care processing, as well as new prescription call-ins from doctors and coverage determination applications.
Records containing internal Medco applications, including the corporate financials, pharmacy maintenance tracking, Web and pharmacy statistics reporting and employee payroll processing, were also potentially affected.