Lawsuit Filed Against Teaching Hospital Over Pharmacist’s Decade-long Cyber-Spying Campaign
A class action lawsuit has been filed against University of Maryland Medical System Corporation and University of Maryland Medical Center (UMMC) by six current and former employees who claim they were victims of cyber-voyeurism and cyber stalking by a former UMMC pharmacist. The lawsuit names six Jane Doe plaintiffs, and was filed individually and on behalf of similarly situated individuals.
According to the lawsuit, the former UMMC pharmacist Matthew Bathula installed keylogging software on approximately 400 laptops and workstations in clinics, treatment rooms, laboratories, and other locations at UMMC over the course of a decade. The spyware granted him access to the devices without requiring his credentials and allowed him to obtain the credentials of at least 80 staff members. The keylogger recorded keystrokes on devices as they were entered and allowed him to obtain credentials for personal accounts, including email accounts, financial accounts, dating apps, home surveillance systems, and more. The lawsuit claims he learned username and password patterns from the spyware, which allowed him to guess usernames and passwords even when the victims had not used UMMC devices to access their accounts.
Bathula was a Clinical Pharmacy Specialist at a clinic within UMMC and interacted with supervised pharmacy residents and other medical professionals. He then targeted those individuals, most of whom were young female pharmacists, residents, and other medical professionals. Bathula is alleged to have accessed Internet-enabled cameras and used them to record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms in the Frenkil Building. He also used stolen credentials to access webcams and the home security cameras of his victims, recording videos of women breastfeeding babies, interacting with young children, and engaging in sexual acts with their husbands. He is also alleged to have accessed and downloaded photographs from his victims’ personal accounts and retained intimate photographs and personally identifiable information.
Bathula had no affiliation with the UMMC information technology (IT) department and was not authorized to install software on any computers at UMMC. According to the lawsuit, the activities of Bathula could only have been possible if there was “woefully inadequate” security at UMMC, given that the offenses spanned a decade and involved around 400 hospital devices. The only UMMC notification the plaintiffs received was an October 1, 2024, group email to staff warning about “a serious IT incident that may have impacted patients and team members at the University of Maryland Medical Center Downtown Campus.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The email warned staff that, “over the last number of weeks, we have uncovered a highly sophisticated and very difficult to detect cyberattack that has resulted in the theft of data from shared UMMS computers located at the University of Maryland Medical Center and the Frenkil Building.” The email explained that there had been data theft involving “software that captures and records information that could be used to steal logins and passwords, allowing a perpetrator to impersonate another user online.” UMMC explained that prior to the email, investigations were being conducted by “highly specialized cybersecurity experts with experience in complex attacks.”
While the defendants claimed the affected individuals would receive notifications directly, at the time the lawsuit was filed those notification letters had not been issued. The only notifications received by the plaintiffs came from the Federal Bureau of Investigation (FBI) informing them that an investigation had been launched into the incident, with further details provided in subsequent interviews with FBI agents.
The lawsuit claims that Bathula had unfettered access to computers, laptops, and cameras at UMMC. To access computers, login credentials are required, and many of the locations where the compromised devices were accessed required an ID badge for entry. The lawsuit claims that Bathula had no work reason for accessing many of those locations, and his movements and activities were either known by UMMC or should have been known.
The defendants first placed Bathula on administrative leave while the matter was investigated, then terminated his employment. The lawsuit alleges UMMC removed and replaced 400 compromised computers as well as Internet-enabled cameras in patient examination rooms, and has since implemented additional cybersecurity controls, including disabling thumb drives on computers and restricting software installations from the Internet. The lawsuit claims the defendants were aware of a potential hacking incident for years but were unable to identify the person responsible, and that the reason for his termination was not communicated to another health system, where Bathulu is currently working as a pharmacist, potentially putting the privacy of other employees and patients at risk.
The lawsuit asserts claims of negligence, negligent supervision and retention, negligent security, and intrusion upon seclusion-invasion of privacy. The lawsuit seeks a jury trial, compensatory, exemplary, and punitive damages, litigation expenses and attorneys’ fees, and injunctive and declaratory relief. The plaintiffs are represented by the law firm Grant & Eisenhower.
“Our clients are highly skilled professional women who trusted their employer to protect their privacy. By enabling a co-worker to so intrusively invade their few precious private moments with family, friends and nursing newborn babies, UMMC fundamentally violated that trust,” said Cindy B. Morgan, a G&E attorney representing the plaintiffs.
