U.S. Says Ex-Worker at Drug Giant Was Out to Damage Computer Data
NEWARK, Dec. 19 — A federal grand jury has indicted a former systems administrator for the nation’s largest pharmacy benefits manager on fraud charges, saying he installed a “logic bomb” on company computers, a program that could have erased critical prescription information for 60 million Americans. Among the records that could have been destroyed were those pharmacists use to determine whether there are dangerous combinations in an individual’s prescribed drugs.
Yung-Hsun Lin, 50, had worked for seven years for the company, Medco Health Solutions of Franklin Lakes, N.J., before being fired in 2005 during the investigation that ultimately led to his arrest near dawn Tuesday at his yellow, Cape Cod-style home in Montville.
Prosecutors contend that, fearing layoffs in the fall of 2003, Mr. Lin set the program in the computer system to be activated on his birthday the following April. But prosecutors said that a glitch in the code prevented the program from running, and that Mr. Lin wrote a new code that would have been executed in April 2005 had it not been discovered by a colleague in January 2005.
“The potential damage to Medco and the patients and physicians served by the company cannot be understated,” Christopher J. Christie, the United States attorney for New Jersey, said in a statement. “A malicious program like this can bring a company’s operations to a grinding halt and cause millions of dollars in damage from lost data, system downtime, recovery and repair.”
But Mr. Lin’s wife, Linda, and lawyer, Valerie Wong, said he was simply trying to develop a program to automatically erase data rather than remove it manually as some of the company’s 70 servers were decommissioned.
“We do not deny that he designed the code, but what they call a logic bomb was a way to handle things more efficiently,” Ms. Wong said. “The program was in a testing phase and he never used it. He tried to explain that to Medco at the time and he was shocked that they were investigating him.”
Mr. Lin, who was born in Taiwan and came to the United States in 1987, used a Chinese translator during a brief court hearing Tuesday at which his bail was set at $500,000. He will formally enter a plea at arraignment, scheduled for Jan. 3. He could face 10 years in prison if he is convicted.
It is the second recent prosecution of New Jersey residents accused of planting logic bombs in company computers. Last week a former employee of UBS PaineWebber, said to be angered that his 2002 bonus was less than promised, was sentenced to eight years and ordered to pay $3.1 million in restitution for crashing 2,000 of the company servers.
In 1996, an information technology administrator with Omega Engineering in Bridgeport, N.J., used a logic bomb that activated 20 days after he was fired from the company to erase all of its data.
Dawn M. Cappelli, a senior member of Carnegie Mellon University’s Computer Emergency Response Team, said logic bombs are typically put in place by disgruntled employees bent on revenge. They are designed to erase data and wreak havoc when a set date arrives or other external conditions are met. Unlike viruses, which originate outside of a system and which must go through firewalls and other intrusion detection devices before doing damage, logic bombs are internal and harder to detect ahead of time, Ms. Cappelli said.
At Medco, the bomb was discovered by a systems analyst on the trail of an unrelated computer problem. A company investigation led to Mr. Lin being dismissed from his $125,000-a-year job for misconduct, and the case was referred by Medco to the Federal Bureau of Investigation Cybercrime Unit. After an investigation of nearly two years, in which Mr. Lin himself was frequently interviewed, an indictment was handed up this week.
It charges that Mr. Lin first installed the logic bomb at a time when Medco, formerly a subsidiary of the pharmaceutical giant,
Mr. Lin, who has an 18-year-old son and an 11-year-old daughter, has not worked in computers since leaving Medco in 2005, and most recently worked as an office manager for a friend from his church, the Christian Chinese Church of New Jersey, a Presbyterian congregation.
In an interview at the federal courthouse after the hearing, his wife said that over the last 18 months Mr. Lin “had prayed to God every day because he knew he didn’t do anything wrong.”
His lawyer, Ms. Wong, accused the government of selectively prosecuting Mr. Lin because of his race, comparing the situation to that of Wen Ho Lee, the Los Alamos scientist who was accused of leaking highly classified warhead data to China. After a five-year investigation, Mr. Lee pleaded guilty in 2000 to a single felony count of mishandling secrets and was released, having spent nearly nine months in solitary confinement.
The United States attorney’s office denied that Mr. Lin’s prosecution was racially motivated.
The case highlights the increasingly important role of private, managed care health systems in the country. Medco, a company which had $38 billion in revenue in 2005 and which employs 15,000 people as well as 2,200 pharmacists, is what is known as a prescription benefit management company. Employer health plans use such companies to keep track of prescriptions; dispense them, often by mail; help set reimbursement rates; designate preferred medications and even dosages for particular conditions; and help negotiate the price that a plan will pay to a pharmaceutical company.
Such companies also deal with retail pharmacies that can access their data banks when filling a plan member’s prescriptions. A local pharmacist would then have the cost allowed by the plan for the prescription as well as a history of the patient’s medications. Dr. John L. Colaizzi, dean of the Ernesto Mario School of Pharmacy at Rutgers University, said that such records allowed the pharmacist to perform the all important “Drug Utilization Review” so that patients “do not get in trouble with drug interactions.”
Soraya Rodriguez-Balzac, a spokeswoman for Medco, said that the company’s pharmacists could provide the same kind of review. But the real value of Medco’s data, she said, is as a research tool to determine the best and most economical drug treatments for many chronic conditions.
