BALTIMORE — A pharmacist at the University of Maryland Medical Center (UMMC) is being accused in a lawsuit of conducting a nearly decade-long campaign of cyber-voyeurism. Dr. Matthew Bathula, whose actions are at the center of a class-action lawsuit filed by six women on April 3, allegedly hacked hospital computers to activate webcams and secretly spy on young, female doctors and medical residents. According to the legal complaint, the alleged activities included watching victims undress, pump breast milk, and engage in personal moments in their homes.
Court documents outline that Bathula allegedly installed software on UMMC computers to steal user passwords, which he then used to access the home networks of his victims, reports WMAR. This enabled him to view private moments, including one instance where a woman was breastfeeding and spending time with her children at her Howard County home. The lawsuit further alleges that Bathula disabled the camera light on a computer to surreptitiously record videos, hacked into personal cloud accounts for sensitive photos and documents, and gained access to emails, texts, and personal libraries of information.
Related Article: Former University of Michigan Football Coach Matt Weiss Indicted on Hacking, Identity Theft Charges
The lawsuit claims that Bathula gained unauthorized access to at least 400 computers over the course of a decade. The plaintiffs argue that UMMC’s IT security measures failed to detect and prevent his actions, leaving other staff and patients potentially vulnerable. Attorneys representing the plaintiffs estimate there may be as many as 80 additional victims.
According to the lawsuit, Bathula was placed on administrative leave and subsequently fired by UMMC. However, hospital administrators allegedly did not notify his new employers of the allegations, raising concerns over what other workplace vulnerabilities he could exploit.
UMMC Cooperating with Authorities in Cyber-Voyeurism Case
The University of Maryland Medical System (UMMS), which oversees UMMC, has acknowledged working in collaboration with the FBI and U.S. Attorney’s Office for the ongoing criminal investigation. This follows an email circulated by hospital system officials in October, describing what they referred to as a “highly sophisticated” cyberattack targeting shared UMMS computers.
Following the incident, UMMC replaced compromised computers, cameras in exam rooms at the James Frenkil Building in downtown Baltimore, and installed additional security software to block further keystroke-logging activities, which had been used to record sensitive information.
The plaintiffs in the lawsuit allege that the hospital neglected to issue adequate warnings about Bathula’s actions, leaving victims unaware for months until FBI agents presented them with photographic evidence of the cyberattacks. The six women, most of whom are young doctors in training, argue that the security lapses have severely eroded their sense of safety, not only in their workplace but also in their homes.
The lawsuit describes UMMC’s security measures as “woefully inadequate” for allowing Bathula unfettered access to computers using his electronic badge, including in spaces where he had no legitimate reason to be.
Related Article: How Is Your Organization Protecting Video Privacy?
One of the plaintiffs described the violation of privacy as “life-shattering,” citing anxiety and fear that sensitive images could surface online. Attorneys for the group are demanding accountability from the hospital system and improved safeguards against similar breaches in the future.
Bathula, who had been recognized as “Preceptor of the Year” by the University of Maryland School of Pharmacy in 2015, has not been charged with a crime at this time, reports the Baltimore Banner. However, the Maryland Board of Pharmacy continues to list an active license under his name.
The lawsuit alleges that UMMC failed in its duty to protect employees and patients, pointing to decades of unchecked access through inadequate auditing of staff activities.
UMMS officials have called the incident a “serious IT breach” and have committed to ongoing collaboration with federal agencies to root out the extent of the hack. However, hospital administrators have reportedly not fully disclosed the potential scope of compromised data, leaving staff and employees concerned about residual vulnerabilities within the system.
University of Maryland Medical System Releases Statement
UMMC issued the following statement about the allegations against Bathula:
The actions alleged in this matter run counter to every single value we stand for. At every level of our organization, we are deeply disappointed and angered at the actions of the individual at the center of this criminal investigation.
It’s our most sincere hope and expectation that the person alleged to have violated the trust of his colleagues and of our organization will be held accountable to the fullest extent of the law, which is why we have worked collaboratively over the past several months with the FBI and US Attorney’s Office who are engaged in an active criminal investigation.
Healthcare organizations and the people who work in them have unfortunately in recent times become the victims of cyberattacks from threat actors, and we continue to take aggressive steps to protect our IT systems in this challenging environment. We understand the sensitivity of some of the information involved in this matter and extend our deepest regret and compassion to those affected by this individual’s actions.
