The University of Maryland Medical Center (UMMC) is facing a class action lawsuit that accuses a pharmacist of hacking computers to watch doctors undress and breastfeed.
The lawsuit, which was filed on behalf of some current and former UMMC employees, accuses the pharmacist of a decades-long cyber-voyeurism and cyber-stalking campaign.
UMMC identified the pharmacist as former employee Matthew Bathula.
Bathula allegedly targeted about 80 co-workers, most of whom were women. According to the lawsuit, he used security information from UMMC computers to access his victims' accounts and photos.
Cindy B. Morgan, an attorney with Grant & Eisenhofer, tells WJZ that for at least 8 years, Bathula allegedly used keystroke software on UMMC computers to learn employees' usernames and passwords. From there, Morgan says he was able to download everything from social security numbers to texts and nude pictures.
"Incredibly emotionally traumatic to learn that your iCloud could be hacked by somebody that you work with or that you could be surveyed in your home," Morgan said.
The lawsuit further alleges that he spied on his victims using internet-enabled cameras in their homes and at UMMC.
He activated the cameras in treatment rooms to watch co-workers that he knew would be pumping breastmilk and accessed home security cameras to spy on victims as they were undressing or engaged in intimate acts, according to the lawsuit.
"He was able to remotely turn off the green button that would alert them that their camera was on, he was able to change the settings, and then he actively surveyed them in their homes," Morgan said. "He surveyed them breastfeeding, he surveyed them having intimate moments with their spouses, he surveyed them nude, partially nude."
Lawsuit alleges lack of security measures
The lawsuit alleges that the privacy violations were only possible because of a breakdown in UMMC's cybersecurity protocols.
"Our clients are highly skilled professional women who trusted their employer to protect their privacy. By enabling a co-worker to so intrusively invade their few precious private moments with family, friends and nursing newborn babies, UMMC fundamentally violated that trust," said Morgan. "UMMC failed in every way possible to secure the data of their employees."
According to attorneys, UMMC failed to meet basic cybersecurity standards that are required of any medical provider to maintain health records and protect against cyber threats.
The lawsuit argues that security protocols would have prevented the Bathula from installing spyware and getting confidential information.
No criminal charges filed
The lawsuit alleges that UMMC knew about the alleged misconduct since September 2024. However, criminal charges have not been filed against Bathula, and some victims have not been notified.
The only victims who were told that they were targeted were those who were interviewed by the FBI.
UMMC allegedly terminated Bathula's employment, but he still works as a pharmacist at another Maryland facility, according to the lawsuit.
UMMC has not shared any updates on the investigation into its security failures, attorneys said.
"While our clients fully intend to respect and cooperate in the federal investigation, they filed this complaint to ensure the perpetrator is immediately prevented from harming any patients and/or additional colleagues, all of his victims are informed and offered a chance to seek justice, and UMMC is held fully accountable," said Steven J. Kelly, a Baltimore-based Grant & Eisenhofer Principal.
UMMC responds
UMMC identified Bathula in a statement shared Thursday and said they have been working with the FBI and U.S. Attorney's Office on a criminal investigation.
"It's our most sincere hope and expectation that the person alleged to have violated the trust of his colleagues and of our organization will be held accountable to the fullest extent of the law," UMMC officials said in a statement. "We understand the sensitivity of some of the information involved in this matter and extend our deepest regret and compassion to those affected by this individual's actions."
The statement continued, "Healthcare organizations and the people who work in them have unfortunately in recent times become the victims of cyberattacks from threat actors, and we continue to take aggressive steps to protect our IT systems in this challenging environment. We understand the sensitivity of some of the information involved in this matter and extend our deepest regret and compassion to those affected by this individual's actions."
The attorneys who filed the lawsuit say they expect more victims to come forward.