In the context that people have been talking about is did he physically harm someone, the answer is no, in that sense there was no victim. I don't sympathize with him but he didn't cause physical harm to anyone and besides what it cost to remove the botnet from the clinic's machines he doesn't seem to have done any real economic harm here either. There was no patient information stolen, no damage to the clinic's reputation and no permanent damage to their systems.

10 years is egregious and heavily punitive. The prosecutor that speculated that he "could of caused harm" and that was what the entire punishment was predicated on. Our legal system is entirely draconian when it comes to computer crimes.

This should have been criminally probation or a few months in jail and a civil suit brought by the client for any actual damages.

I'm not saying there was no wrong doing but you're not going to convince me that the minor damages were worth 10 years of this guys life.

I agree that 10 years (any years) in prison is excessive for what he was accused of, but the term being thrown around in this thread was "victimless crime". The mere fact that someone had to pay to clean his botnet from their systems means that this crime had a victim.

A more reasonable sentence would have been 2-3x the cost of the cleanup—and details on the systems that were compromised—plus a certain amount of (extrajudicial) social ostracism along the lines of ISPs not being willing to sell him Internet access based on his past history of abusing such privileges.