A disturbing case of privacy invasion has rocked the University of Maryland Medical Center (UMMC), one of the US’s top teaching hospitals. A former pharmacist, Matthew Bathula, faces allegations of using malware and keylogging software to secretly watch female clinicians at work and in their homes. The accusations, detailed in a civil lawsuit filed on April 2, 2025, in a Baltimore circuit court, describe a near-decade-long scheme that violated the trust of coworkers and patients alike.
Six unidentified women, represented by attorney Steve Kelly of Grant and Eisenhofer, are suing UMMC for negligence, claiming the hospital failed to stop the breach despite warning signs. The lawsuit paints a chilling picture of cyber-voyeurism. It raises pressing questions: How could such a breach go undetected for years? What steps are hospitals taking to protect employees and patients from similar threats?
A Decade of Alleged Surveillance
The complaint alleges Bathula installed spyware on at least 400 computers across UMMC’s clinics, treatment rooms, and labs. This software reportedly gave him remote access to webcams, allowing him to record deeply personal moments without consent.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Victims included young doctors and medical residents. The lawsuit claims Bathula captured footage of women:
- Pumping breastmilk in private treatment rooms.
- Breastfeeding their babies at home via hacked home security cameras.
- Engaging in intimate moments with their partners.
- Interacting with their young children in what they believed was the safety of their homes.
Bathula’s alleged actions didn’t stop at webcam access. The lawsuit says he used keylogging software to steal usernames and passwords from UMMC computers. By analyzing patterns, he reportedly guessed passwords for victims’ personal accounts, including cloud services like Google Drive. This gave him access to private photos and identification documents.
How does someone exploit hospital systems for years without raising alarms? The scale of the breach has left many stunned.
UMMC’s Alleged Negligence
The lawsuit targets UMMC, not Bathula directly, arguing the hospital failed to safeguard its systems. It claims UMMC violated the Health Information Technology for Economic and Clinical Health Act (HITECH), which sets strict standards for securing health records. The hospital allegedly neglected basic security measures, such as:
- Limiting software and hardware installation to IT administrators.
- Blocking USB drives, which can introduce malware.
- Applying routine security updates to detect and remove threats.
Court documents reveal troubling details. One UMMC IT employee reportedly said the hospital knew of a potential hacking incident for years but couldn’t “catch” the culprit. Another IT staffer flagged a possible breach in the summer of 2024, yet no suspect was identified at the time.
ALSO READ: Now Open: Pan-India Registration for Fraud Investigators!
On October 1, 2024, UMMC sent a mass email to staff and patients. It described a “highly sophisticated and very difficult to detect cyberattack” that led to data theft from shared computers at UMMC’s Downtown Campus and Frenkil Building. The email admitted the breach had gone on for an unknown period but offered little clarity. Employees weren’t told if their personal data was compromised or if they had been recorded in exam rooms.
Victims only learned of the alleged spying when FBI investigators reached out. Why didn’t UMMC act faster to warn those affected?
Fallout and Response
UMMC placed Bathula on administrative leave after the October email and later fired him. Shockingly, the lawsuit claims he was hired at another medical facility, which wasn’t informed of the allegations. Bathula’s Maryland State Board of Pharmacy license remains active, with no disciplinary actions listed publicly. Attempts to reach him for comment were unsuccessful.
In a statement on its website, UMMC expressed outrage. “The actions alleged in this matter run counter to every single value we stand for,” the hospital said. “We are deeply disappointed and angered at the actions of the individual at the center of this criminal investigation.” UMMC pledged to work with the FBI and the U.S. Attorney’s Office, which are conducting an active criminal probe. The hospital also vowed to strengthen its IT systems and apologized to those impacted.
But for many, the response feels too late. How can trust be restored after such a betrayal?
A Broader Wake-Up Call
This case highlights vulnerabilities in healthcare cybersecurity. Hospitals store sensitive data—patient records, employee details, and more—making them prime targets for cyberattacks. A 2023 report from the Cybersecurity and Infrastructure Security Agency noted a 78% rise in ransomware attacks on U.S. healthcare organizations between 2020 and 2022. While Bathula’s alleged actions weren’t ransomware, they expose gaps in basic security protocols.
For the six Jane Doe plaintiffs, the violation cuts deeper than data theft. They trusted UMMC as a workplace and a care provider. The lawsuit seeks unspecified damages for emotional distress, privacy violations, and the hospital’s failure to act. Attorney Steve Kelly emphasized the human toll. “These women were betrayed by someone they worked alongside,” he said in a press release. “UMMC had a duty to protect them and failed.”
What will it take for hospitals to prioritize cybersecurity? The answer could shape the future of patient and employee safety.
Moving Forward
UMMC faces mounting pressure to address the breach’s fallout. Employees and patients want transparency—details on what data was accessed, who was affected, and how the hospital will prevent future incidents. The FBI’s investigation may bring criminal charges against Bathula, but for now, the focus remains on UMMC’s accountability. The case serves as a stark reminder: no institution is immune to cyber threats. As technology advances, so do the risks. Will this scandal push healthcare providers to rethink their defenses? Only time will tell.
For the women at the heart of this lawsuit, the fight is personal. They’re seeking justice—not just for themselves, but for anyone whose privacy hangs in the balance.