He also noted that pharmacists around the country regularly tap into the Medco system to find out if patients' new prescriptions will interact badly with their current medications. If the malicious code had worked, pharmacists would have had no way to make sure a new prescription wouldn't put a patient's health at risk.
Such a situation could have caused grave financial and public relations trouble for Medco, which handles health insurance prescription benefit plans and is reportedly the largest mail-order pharmacy operation in the US. The company is based in Franklin Lakes, N.J.
Sentencing documents noted that in his role as systems administrator, Lin had access to Medco's network, which is made up of about 70 HP Unix servers, and that he was "proficient" in coding for them. The network contained applications related to clients' clinical analyses, coverage applications and billing, as well as corporate financial applications and employee payroll input. The network also ran the company's Drug Utilization Review, a database of conflicting drug interactions, as well as patient information.
In September 2003, as part of a restructuring after Medco was spun off from parent company Merck & Co., its Unix group merged with an e-commerce group. As part of that merger, "a number" of systems administrators were laid off in October of that year, according to government records. Lin did not lose his job.
Sentencing records also show that Lin began trading e-mails with his co-workers that September, discussing the anticipated layoffs. Then, in October, he sent an e-mail saying he was unsure whether he would survive the upcoming layoffs.
That same month, Lin modified existing code and inserted new code into pre-existing scripts on the Medco servers. Sentencing documents show that Lin wrote the code to delete nearly all the information on the affected servers, along with the Drug Utilization Review database, billing data and subscriber lists.
The logic bomb initially was set up to be triggered on April 23, 2004 -- Lin's birthday -- but it failed to launch because of a coding error. In September 2004, Lin changed the code to fix the error and reset it to deploy on April 23, 2005.
During the sentencing hearing today, Lin's attorney argued that his client simply made a mistake. Liebermann, however, argued that this was far from a mistake. "We said a mistake is something you make once," he said. "You fly off the handle and make a mistake. He had from October 2003 to January 2005 to wipe it out and he didn't."