Online drugs and logic bombs bring prison time

Breaking trust doesn’t usually get one prison time but authorities say in these cases it is more than justified. In Florida a pharmacy owner and a Kentucky physician pleaded guilty to conspiracy for their participation in an Internet pharmacy business that generated more than $126 million from the illegal sale of prescription pharmaceuticals.  Meanwhile in New Jersey, a systems administrator pleaded guilty to setting up a logic bomb that would have caused damage to a protected computer systems in excess of $5,000. 

In the first case, by pleading guilty, Claude Covino admitted that he was part-owner of Saveon RX Pharmacy, located in Florida, which was established primarily to service Internet pharmacy networks such as the Affpower organization.  Affpower recruited licensed pharmacies such as Covino’s to fill drug orders.  Saveon RX was the largest supplier of prescription pharmaceuticals to the Affpower organization. 

From approximately May 2005 through June 2006, the Saveon RX Pharmacy filled and shipped over 200,000 orders for prescription drugs, generating in excess of $26 million in revenue for Affpower.  Saveon RX received approximately $7 for each order shipped from the Affpower organization, in addition to the pharmacy’s product costs.  Covino also earned a personal commission for each order shipped by Saveon RX.  

Subramanya Prasad admitted under the terms of his plea agreement that, as a licensed physician in Kentucky and Ohio, he was recruited by Affpower to review and approve orders for prescription drugs.  In a four-month period between March and June 2006, he approved more than 30,790 orders for prescription drugs from Affpower customers.  He occasionally reviewed and approved more than 1,000 orders in a day, sometimes spending fewer than five seconds reviewing the online medical questionnaire. 

Affpower usually paid Dr. Prasad $3 for every customer order he reviewed and his earnings during that four-month period exceeded $95,000.  Dr. Prasad also admitted that he and other Affpower doctors: had no contact with Affpower customers and lacked any physician-patient relationship with them; were not issuing prescriptions in the usual course of a professional practice; and were not issuing the prescriptions for a legitimate medical purpose, but simply to make money.   Covino faces a maximum of 25 years in prison for both counts of conspiracy.  Prasad faces a maximum of five years in prison for conspiracy to illegally distribute controlled substances.  Both are scheduled to be sentenced on March 17, 2008. Covino also agreed to forfeit $831,560.   Prasad also agreed to forfeit $95,994.  

Covino and Prasad are just two of 18 defendants charged by indictment on July 27, 2007, for their involvement in the Affpower online pharmaceutical business.  Defendants include: three physicians (including Prasad), two pharmacists, a pharmacy owner (Covino), an administrator and manager, two recruiters of physicians and pharmacies, a credit card processor, and eight affiliate website operators.   

In New Jersey Yung-Hsun Lin, also known as Andy Lin,  a former Unix system administrator at Medco Health Solutions, fearing he would lose his job to a layoff, admitted to planting malicious code that would have destroyed massive amounts of critical patient information. Lin had allegedly planted a "logic bomb" computer virus on Medco's systems in October 2003 over concerns he would lose his job after the company was spun off from Merck & Co that year. The code was designed to bomb data from 70 company servers. According to authorities a coding error prevented the disaster in the following year. Lin, who at that time survived the layoffs, reprogrammed the code in September 2004 and set it to go off on his birthday April 23, 2005. 

The malicious code was discovered in January during the investigation of a system error and soon pulled out of the system. Lin was later arrested following an FBI investigation. Medco said it cost the company between $70,000 and $120,000 to fix the code. 

According to a Computerworld article, had it gone off as scheduled, the malicious code would have wiped out data stored on 70 servers. Among the databases that would have been affected was a critical one that maintained patient-specific drug interaction information that pharmacists use to determine whether conflicts exist among an individual's prescribed drugs. Also affected would have been information on clinical analyses, rebate applications, billing, new prescription call-ins from doctors, coverage determination applications and employee payroll data. 

The case is one of the most egregious examples yet of attempted computer sabotage by an insider, Asst. U.S. Attorney Erez Liebermann told Computerworld. Unlike most malicious logic bombs, which are designed to disrupt operations or inflict financial damage, Lin's malicious code could have affected "life and limb," Liebermann said. He faces a maximum sentence of 10 years and a fine of US$250,000.