Former Maryland hospital pharmacist Matthew Bathula has been indicted over allegations of an eight-year cyber intrusion and surveillance campaign involving unauthorized access to employer systems, credential theft affecting nearly 200 individuals, and the installation of spyware during his employment at a University of Maryland Medical Center clinical role.
Case Overview
The indictment describes conduct for the period July 2016 to September 2024 involving repeated unauthorized access to computer systems linked to Bathula’s workplace environment. Bathula, 41, of Clarksville, is alleged to have used multiple access techniques to obtain and retain access to protected systems and personal accounts tied to current and former employees, as well as individuals associated with those employees. The alleged conduct happened while he was a pharmacy clinical specialist handling a medical system in the District of Maryland.
Authorities state the conduct included persistent access efforts across employer-linked systems and external personal accounts tied to victims. The case involves long-term access to digital accounts and devices used by individuals connected to the workplace environment.
Alleged Cyber Attack Methods
The indictment outlines several methods allegedly used to gain and maintain unauthorized access, including installation of keyloggers, and cookie management tools. The mailbox rules were allegedly used to delete security warning messages, including alerts related to account activity.
The stolen credentials reportedly included usernames, passwords, cookies, images, and videos that may contain protected health information. Investigators allege that cookies allowed continued access to victim accounts on Bathula’s personal devices. The attack methods supported repeated access without direct detection through normal security alerts.
Scope of Data Access and Surveillance
According to the indictment, credentials linked to nearly 200 victims were obtained and used to access social media platforms and multiple digital services. These services included Google Photos, Google Nest, iCloud Photos, dating applications, Gmail, and Microsoft 365 accounts.
Between February 2023 and July 2024, spyware was allegedly installed on employer-owned computers. This installation enabled video surveillance activity within the workplace environment. The system access reportedly included internet-enabled cameras used to record video of staff members in clinical settings.
The indictment further alleges that surveillance activity included recordings of individuals in sensitive workplace situations, such as in private treatment areas. Additional allegations describe access to home security systems belonging to victims, which were used to capture video recordings in private residential settings involving personal and family interactions.
Charges and Potential Penalties
Bathula has been charged with two counts of unauthorized access to a protected computer and one count of aggravated identity theft. The charges relate to both employer systems and victim accounts accessed through stolen credentials.
The potential penalties include up to 10 years for unauthorized access to a protected computer at the employer site, up to five years for unauthorized access to victims’ protected computers, and up to two years for aggravated identity theft. The aggravated identity theft penalty is required to run consecutively to any other sentence imposed.
Employer Response and Related Litigation
While the employer identified in the indictment is not named directly, Bathula was employed by the University of Maryland Medical Center as a clinical pharmacist. The indictment has been linked to workplace activity within that system.
University of Maryland Medical Center is facing legal action filed by at least six current and former employees related to the alleged conduct. The claims include negligence, negligent supervision and retention, negligent security, and intrusion upon seclusion and invasion of privacy. The lawsuit requests a jury trial, monetary damages, litigation expenses, attorneys’ fees, and injunctive and declaratory relief.
A University of Maryland Medical System spokesperson stated that the organization prioritizes patient and staff safety, acknowledged cooperation with law enforcement, and expressed condemnation of the alleged actions. The statement also referenced continued support for affected team members and participation in the investigation process.