There is a write-up of the whole sorry Medsphere VistA mess by Steven J. Vaughan-Nichols at http://www.linux-watch.com/news/NS7891815881.html
The moral of the story is, I think, that if one is about to release, under and open source license, code which has been developed in time paid for by someone else, and that includes one's employer, one should *always* get *explicit" permission *in writing*, on paper, signed by hand with a blue pen, from an appropriately authorised or delegated officer of the organisation which has paid for the development work. Had the Shreeve brothers bothered to have done that, then there would have been no court case now. And if the written permission to release the code had not been forthcoming, then they could have publicised that fact without the issue being muddied by questions of internal corporate governance within Medsphere. In summary, when doing open source development which someone else is paying for, the bureaucratic paperwork surrounding the public release of the resulting code does actually matter, a lot. If you are doing open source development in your own time, well, that's different. Tim C