Class Action Suit Filed Against Maryland Med Center After Pharmacist Installs Spyware

In a shocking case, the University of Maryland Medical Center (UMMC) is facing a class action lawsuit alleging that one of its pharmacists installed malicious software on hundreds of coworkers’ laptops and workstations over the course of a decade to spy on their personal lives.

The Lawsuit

The complaint and demand for a jury trial was filed by attorneys representing 6 Jane Doe plaintiffs, both individually and on behalf of the class of similarly situated individuals. The complaint alleges that “for nearly a decade, a single pharmacist named Matthew Bathula installed spyware on at least 400 computers in clinics, treatment rooms, labs and a variety of other locations at one of the nation’s premier teaching hospitals. Bathula used this spyware to remotely access webcams to record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms, and to use home security cameras to record women breastfeeding their babies, interacting with young children, and having sex with their husbands in the privacy of their homes. He accessed his coworkers’ personal photo libraries and captured, downloaded, and retained their intimate photographs and personally-identifiable information.”

Pharmacist Bathula allegedly installed keyloggers on over 400 UMMC computers over the course of a decade. These keyloggers reportedly transmitted usernames and passwords for his coworkers’ personal accounts, including bank accounts, dating apps, home surveillance systems, Google Drive, and iCloud accounts. “Because Bathula was able to learn username and password patters,” noted the complaints, “he was able to gain access to UMMC computer users’ personal accounts even though the user had never specifically logged into that account on a UMMC computer.”

The complaint asserts that UMMC learned of the spyware, and, on October 1, 2024, sent an email blast to employees alerting them to a cyberattack which may have compromised their data. UMMC promised to contact “potentially impacted team members and patients” directly, but the plaintiffs in this case claim that the only entity to contact them was the US Federal Bureau of Investigation (FBI), which is investigating the case.

Plaintiffs claim that UMMC should have known this was happening, should have had industry-standard protections in place on computers, and should not have given Bathula unhampered access to the center’s computers. Plaintiffs also claim that the medical center has replaced the compromised computers, removed, and replaced cameras in the building, but has not notified patients who may have been surveilled and/or recorded.

Plaintiffs are charging UMMC with negligence, negligent supervision and retention of Bathula, negligent security, and intrusion on plaintiffs’ seclusion—invasion of privacy. They are seeking damages, including compensatory and punitive damages, interest, and litigation expenses/attorney fees.

UMMC has issued a statement in response to allegations against Bathula. In it, UMMC states “the actions alleged in this matter run counter to every single value we stand for. At every level of our organization, we are deeply disappointed and angered at the actions of the individual at the center of this criminal investigation.”

The Takeaway

This is a big case which may have some major repercussions for medical centers that fail to adequately protect the privacy of employees and patients.

References

Jane Doe 1; Jane Doe 2; Jane Doe 3; Jane Doe 4; Jane Doe 5; Jane Doe 6 v University of Maryland Medical System Corporation; University of Maryland Medical Center, LLC. No C-24-CV-25-002505. In the Circuity Court for Baltimore City, Maryland; 2025. https://www.gelaw.com/ge/press-release/UMMC-First_Amended_Class_Action_Complaint_and_Demand_For_Jury_Trial.pdf

University of Maryland Medical System statement on recent cyber incident. Press release. University of Maryland Medical Center. Published April 3, 2025. Accessed April 23, 2025. https://www.umms.org/ummc/news/2025/university-of-maryland-medical-system-statement-on-recent-cyber-incident