The class action lawsuit against the University of Maryland Medical Center (UMMC) has taken a disturbing turn as new details emerge regarding the allegations against pharmacist Matthew Bathula. The lawsuit, filed in a Baltimore court, accuses Bathula of installing keylogging software on 400 laptops and workstations over a decade to spy on at least 80 coworkers, accessing their personal information and recording them in their homes and at work.
According to attorneys representing the plaintiffs, Bathula used the stolen credentials to access a variety of personal accounts belonging to his coworkers, including bank accounts, email, home surveillance systems, dating applications, and more. The lawsuit alleges that Bathula not only accessed this information but also recorded private and intimate moments of his coworkers and their families, including young doctors and medical residents at work.
UMMC has responded to the allegations by stating that they are unable to comment on the specifics of the case due to ongoing litigation and the criminal investigation into Bathula by federal law enforcement. The hospital did confirm that Bathula was terminated immediately after the security threat was identified in October 2024, and that the FBI has been leading the investigation into the matter.
Attorney Cindy Morgan, representing the plaintiffs, has criticized UMMC for failing to implement adequate data security measures that could have prevented such a breach from occurring. She alleges that the hospital neglected to restrict user permissions, disable USB devices, install USB data blockers and keystroke encryption software, use robust firewalls, and conduct regular IT security audits.
The scope and scale of the cyberstalking attack perpetrated by Bathula has raised serious concerns among experts in the field. Former federal prosecutor Andrew Wirmani described the case as one of the most egregious cybersecurity incidents he has seen, emphasizing the potential harm that can be inflicted on individuals through electronic surveillance.
Regulatory attorney Rachel Rose echoed these sentiments, pointing out the alarming nature of the allegations and questioning why the misconduct went undetected for so long. She highlighted the importance of implementing strong technical, administrative, and physical safeguards to prevent such breaches from occurring in the future.
As the investigation into the UMMC case continues, healthcare organizations are urged to take note of the vulnerabilities exposed by this incident. It serves as a stark reminder of the importance of prioritizing cybersecurity measures to protect sensitive and confidential data, especially in industries like healthcare where patient safety and privacy are paramount.