UMMC Faces Lawsuit Over Pharmacist’s Cyber-Spying Activities

by

University of Maryland Medical System Corporation and University of Maryland Medical Center (UMMC) are facing a class action lawsuit that was filed by six present and past staff members who stated they were affected by cyber-voyeurism and cyber stalking by an ex-UMMC pharmacist. Six Jane Doe plaintiffs filed the lawsuit individually and on behalf of likewise situated persons.

As per the lawsuit, the ex-UMMC pharmacist identified as Matthew Bathula installed a keylogging software on roughly 400 laptop computers and workstations in clinics, laboratories, treatment rooms, and other places at UMMC during the past ten years. The spyware allowed him to access the devices without inputting his credentials and made it possible for him to get the credentials of about 80 employees. The keylogger captured keystrokes as users entered information on the devices. This allowed Bathula to get credentials for personal accounts, such as financial accounts, email accounts, home surveillance systems, dating apps, and more. The lawsuit states he discovered username and password patterns using the spyware, enabling him to guess usernames and passwords even if the victims did not use UMMC devices for account access.

Bathula works as a Clinical Pharmacy Specialist at a UMMC clinic along with pharmacy residents and other healthcare specialists. He targeted young female pharmacy residents and other healthcare specialists. Allegedly, Bathula accessed web-enabled cameras to capture videos of medical residents and young doctors pumping breast milk in treatment rooms in the Frenkil Building. He also stole credentials to access the home security cameras of his victims and recorded videos of women breastfeeding their babies and doing sexual acts with their partners. He likewise viewed and downloaded his victims’ pictures and kept sensitive photos, protected health information, and personally identifiable information.

Bathula is not affiliated with the UMMC information technology (IT) department and is not permitted to install software on UMMC computers. As per the lawsuit, Bathula’s activities, which spanned 10 years involving about 400 hospital devices, were possible because of the poor security at UMMC. The plaintiffs only received on October 1, 2024 a UMMC notification, which was a group email to employees cautioning them about an IT incident that might have affected patients and team members from the University of Maryland Medical Center Downtown Campus.

The email mentioned that for a certain number of weeks, a sophisticated and hard to detect cyberattack resulted in data theft involving shared UMMS computers in the Frenkil Building and the University of Maryland Medical Center. The email told about the use of software to capture and record data that could steal login credentials, enabling an attacker to impersonate a user on the internet. UMMC also mentioned the investigation being conducted before the email.

Although the defendants said the impacted individuals would get notifications, when the lawsuit was filed, there were no notification letters issued. The plaintiffs only received FBI’s notifications telling them that the incident was under investigation, and that additional details would follow.

The lawsuit states that Bathula got unrestrained access to computers, and cameras at UMMC even if login credentials and an ID badge are required for access. The lawsuit remarks that Bathula did not have any work reason to access the systems, and UMMC should have known his movements and activities.

In response to the incident, UMMC placed Bathula on administrative leave, then ended his work contract. The lawsuit claims UMMC removed the compromised computers and cameras and brought in new ones in patient exam rooms. Other cybersecurity controls included deactivating thumb drives on computers and limiting software installations. According to the lawsuit, the defendants knew about the potential hacking for years but could not identify the individual responsible.

The lawsuit involves claims of negligence, negligent security, negligent supervision and retention, and intrusion upon seclusion-privacy invasion. The lawsuit seeks compensatory, exemplary, and punitive damages, attorneys’ fees, legal costs, injunctive and declaratory relief and a jury trial. The Grant & Eisenhower law firm represented the plaintiffs.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone