A former pharmacist at the University of Maryland Medical Center (UMMC) allegedly installed keyloggers on over 400 hospital computers over a decade, secretly recording colleagues—primarily women—through webcams and capturing sensitive personal data. The class-action lawsuit, filed in March 2025, accuses UMMC of negligence for failing to detect or prevent the breaches, which included unauthorized access to personal emails, bank accounts, and home surveillance systems1.
Technical Overview of the Attack
The alleged perpetrator, Matthew Bathula, reportedly used keyloggers and remote access tools to compromise hospital workstations. The lawsuit claims he disabled webcam indicator lights to avoid detection while recording breastfeeding sessions in exam rooms and capturing intimate moments2. The hospital’s cybersecurity shortcomings—such as unrestricted USB drive usage and lack of download monitoring—allowed the spyware to persist undetected for years. Victims only became aware of the breaches after the FBI contacted them with evidence3.
Institutional Failures and Legal Implications
UMMC, a major teaching hospital, is held to higher cybersecurity standards but allegedly ignored basic protocols. The lawsuit highlights the absence of USB port restrictions and inadequate logging as critical failures. The hospital’s October 2024 internal email described the incident as a “sophisticated cyberattack” without mentioning Bathula’s involvement, raising questions about transparency4. The FBI and U.S. Attorney’s Office are investigating, but Bathula was reportedly employed elsewhere after his termination.
Relevance to Security Professionals
This case underscores the importance of endpoint monitoring, USB device controls, and webcam privacy safeguards in healthcare environments. Key takeaways include:
- Endpoint Detection: Behavioral analysis tools could have flagged anomalous USB activity or unauthorized webcam access.
- Physical Security: Disabling unused hardware interfaces (e.g., webcams in non-clinical areas) reduces attack surfaces.
- Logging: Centralized logging with retention policies might have revealed long-term unauthorized access patterns.
Remediation Recommendations
Organizations can mitigate similar risks by implementing application allowlisting, network segmentation for sensitive devices, and regular audits of privileged access. Technical controls like Group Policy to disable USB mass storage and hardware-based webcam kill switches are effective countermeasures. The case also highlights the need for mandatory cybersecurity training for non-IT staff to recognize social engineering tactics.
Conclusion
The UMMC case represents a severe institutional failure in both technical controls and incident response. With healthcare increasingly targeted by insider threats and external attackers, robust monitoring of privileged users and hardware interfaces is critical. The lawsuit’s outcome may set precedents for healthcare cybersecurity liability.
References
- [1] “Maryland pharmacist used keyloggers to spy on coworkers for a decade, victim alleges,” The Record, 2025. [Online]. Available: https://therecord.media/maryland-pharmacist-keylogger-spying-lawsuit
- [2] “Lawsuit alleges UMMC pharmacist hacked hundreds of computers to watch women undress,” WMAR-2 News, 2025. [Online]. Available: https://www.wmar2news.com/local/lawsuit-alleges-ummc-pharmacist-hacked-hundreds-of-computers-to-watch-women-undress
- [3] “Suit claims MD pharmacist hacked hospital computers to watch coworkers undress and breastfeed,” WTOP News, 2025. [Online]. Available: https://wtop.com/maryland/2025/04/suit-claims-md-pharmacist-hacked-hospital-computers-to-watch-coworkers-undress-and-breastfeed/
- [4] “Matthew Bathula: UMD hospital pharmacist accused in hacking scheme,” The Baltimore Banner, 2025. [Online]. Available: https://www.thebaltimorebanner.com/community/criminal-justice/matthew-bathula-umd-hospital-hack-32KWAHLG2RBNLFFVX5BAFILRCM/
