In a five-page indictment, Yung-Hsun Lin, also known as Andy Lin, 50, of Montville, N.J., was charged with two counts of intending to cause fraudulent, unauthorized changes to computer systems in violation of U.S. laws. Each count is punishable by up to 10 years in prison and up to a US$250,000 fine. A federal grand jury handed down the indictment.
Lin was arrested Tuesday by FBI agents and made an initial appearance before a federal magistrate. He is scheduled for arraignment on the indictment on Jan. 3.
In a statement, U.S. Attorney Christopher J. Christie in Newark alleged that Lin planted the logic bomb in HP Unix servers at Medco Health Solutions Inc. The bomb could have destroyed critical customer prescription data, payroll information and other records stored on more than 70 servers used by the Franklin Lakes, N.J.-based company.
Lin, who worked in Medco's Fair Lawn offices, apparently inserted the logic bomb into Medco's IT systems in October 2003 because he feared losing his job. Lin learned that his IT group was being merged with another group inside the company after it was spun off from pharmaceutical company Merck & Co., according to the indictment.
Instead, Lin was spared a layoff while four colleagues lost their jobs, according to the U.S. attorney's statement.
The government alleges that Lin then modified the inserted logic bomb code in November 2003, but that it was still scheduled to deploy on his birthday on April 23, 2004. Due to an error in the code, however, it didn't deploy as scheduled. In September 2004, Lin allegedly corrected the code error and changed the deployment date to April 23, 2005.
The plot was foiled, according to the government, when another Medco systems administrator, who was looking into an unrelated systems error, found the destructive code embedded within the systems scripts.
The administrator notified company security staffers, who removed the logic bomb in January 2005.
"The potential damage to Medco and the patients and physicians served by the company cannot be understated," Christie said in a statement. "A malicious program like this can bring a company's operations to a grinding halt and cause millions of dollars in damage from lost data, system downtime, recovery and repair."
"Companies and law enforcement must be extremely vigilant to guard against disgruntled employees with the knowledge and position to wreak such havoc," he said.
The servers Lin allegedly targeted contained several key company databases, including a critical patient-specific drug interaction conflict database known as the Drug Utilization Review (DUR). Pharmacists use the DUR before dispensing medication to determine whether there could be unsafe interactions between a patient's prescribed drugs.
Also included in the target were servers containing applications relating to clients' clinical analyses, rebate applications, billing and managed care processing, as well as new prescription call-ins from doctors and coverage determination applications.
Records containing internal Medco applications, including the corporate financials, pharmacy maintenance tracking, Web and pharmacy statistics reporting and employee payroll processing, were also potentially affected.
Last week, a former UBS PaineWebber systems administrator to 97 months in prison for launching a logic bomb inside the company's servers that he hoped would cause the company's stock to go down. In that case, Roger Duronio, 63, of Bogota, N.J., planted a logic bomb into 1,000 of UBS PaineWebber's networked computers in an attempt to profit from a drop in the stock price, but the drop didn't occur and he lost his $23,000 stock investment.