BALTIMORE — A recently filed class action lawsuit accuses a former pharmacist at the University of Maryland Medical Center of having hacked into hundreds of computers.
Court documents say Matthew Bathula targeted at least 80 of his coworkers, most of whom are women pharmacists, residents, and other medical professionals.
Bathula allegedly accessed their computers using passwords and usernames extracted from UMMC computers and was able to gain access to their personal email, texts, photo libraries, and "private and sensitive electronically stored information."
He also allegedly downloaded partially nude photographs and recordings, photographs, and recordings depicting the women breastfeeding their children.
The complaint states Bathula activated internet-enabled cameras in patient treatment rooms to watch and record his coworkers he knew to be pumping breast milk at work and accessed home security cameras remotely to spy on the women in their homes, recording all of them in multiple stages of undress, in private family interactions, and having intercourse with their husbands.
Bathula accessed at least 400 computers, per court documents, and the active spying went on for at least a decade.
Lawyers with Grant & Eisenhofer, the law firm representing the complainants, said this "shocking" conduct is only possible because of the "complete breakdown within UMMC's cybersecurity protocols."
“Our clients are highly skilled professional women who trusted their employer to protect their privacy. By enabling a co-worker to so intrusively invade their few precious private moments with family, friends, and nursing newborn babies, UMMC fundamentally violated that trust,” said Cindy B. Morgan, a Grant & Eisenhofer attorney representing the plaintiffs.
The firm stated every medical provider is required to institute safeguards to protect electronically stored patient information against many kinds of cyber threats, and "as a leading teaching and research hospital with thousands of employees, UMMC is held to an higher standard."
"...UMMC failed to meet even the most basic standards that apply to any medical provider maintaining protected electronic health records. If followed, any one of these protocols would have prevented the perpetrator from installing the spyware, blocked the remote transmissions that allowed him to capture confidential information, and immediately alerted UMMC’s cybersecurity personnel of his activity. That no UMMC cybersecurity protocol blocked or revealed the conduct for so long is baffling."
The complaint alleges UMMC has known about the misconduct since September 2024, but the only victims who were made aware of being targeted were those who talked with the Federal Bureau of Investigation.
Noted in the complaint, no charges have been filed against Bathula, and he is not currently employed by UMMC, but he does work as a pharmacist at another facility in Maryland.
The firm also said that UMMC has not revealed anything about the status of an investigation into its "institutional security failures that led to this heinous invasion."
“While our clients fully intend to respect and cooperate in the federal investigation, they filed this complaint to ensure the perpetrator is immediately prevented from harming any patients and/or additional colleagues, all of his victims are informed and offered a chance to seek justice, and UMMC is held fully accountable,” said Steven J. Kelly, a Baltimore-based Grant & Eisenhofer Principal.
WMAR-2 News reached out to UMMC for comment and received this statement:
"The actions alleged in this matter run counter to every single value we stand for. At every level of our organization, we are deeply disappointed and angered at the actions of the individual at the center of this criminal investigation. It’s our most sincere hope and expectation that the person alleged to have violated the trust of his colleagues and of our organization will be held accountable to the fullest extent of the law, which is why we have worked collaboratively over the past several months with the FBI and US Attorney’s Office who are engaged in an active criminal investigation. Healthcare organizations and the people who work in them have unfortunately in recent times become the victims of cyberattacks from threat actors, and we continue to take aggressive steps to protect our IT systems in this challenging environment. We understand the sensitivity of some of the information involved in this matter and extend our deepest regret and compassion to those affected by this individual’s actions."
