Pharmacist accused of using webcams to spy on women in intimate moments at work, home – Source: go.theregister.com

A now-former pharmacist at the University of Maryland Medical Center (UMMC) has been accused of compromising the US healthcare organization’s IT systems to ogle female clinicians using webcams at their workplace and at their homes.

The civil lawsuit [PDF], filed last week in a Baltimore circuit court by Grant and Eisenhofer attorney Steve Kelly on behalf of six unidentified Jane Doe plaintiffs, alleges egregious privacy violations.

Specifically, it’s claimed a UMMC pharmacist identified as Matthew Bathula used cameras connected to malware-infected PCs and home security systems to watch coworkers breastfeeding, having sex with their partners, and more.

… spyware on at least 400 computers in clinics, treatment rooms, labs and a variety of other locations

“For nearly a decade, a single pharmacist named Matthew Bathula installed spyware on at least 400 computers in clinics, treatment rooms, labs and a variety of other locations at one of the nation’s premier teaching hospitals,” reads the complaint.

“Bathula used this spyware to remotely access webcams to record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms, and to use home security cameras to record women breastfeeding their babies, interacting with young children, and having sex with their husbands in the privacy of their homes.”

The alleged cyber-voyeurism is said to have extended to accessing victims’ photos and identification documents stored on cloud services, such as Google Drive. By installing keylogging software on UMMC computers, Bathula was able to learn victims’ username and password patterns, which allowed him to infer the passwords of personal accounts unconnected to the university, as well as the webcam snooping, it is claimed.

The lawsuit targets UMMC, rather than the named pharmacist, and claims the organization was negligent for failing to detect or stop Bathula’s use of keylogging software on hospital systems. It contends UMMC failed to comply with America’s Health Information Technology for Economic and Clinical Health Act, which imposes health record security and breach notification obligations such as limiting the installation of software/hardware to administrators, preventing the use of USB drives, and the application of various other security controls.

“An employee in defendants’ IT department stated that defendants were aware of a potential hacking incident for years but were unable to ‘catch’ the offender,” the complaint contends, before alleging that another employee in the UMMC IT department flagged a potential security breach in the summer of 2024 but no perpetrator was identified.

• Webcam hacker perverts in mass home invasion
• School district avoids charges over webcam spy scandal
• Brit webcam criminal snared in FBI creepware sting spared prison
• Voyeur escapes US extradition over webcam malware

The lawsuit goes on to say that on October 1, 2024, the hospital sent out a mass email alerting recipients to “a serious IT incident that may have impacted patients and team members at the University of Maryland Medical Center Downtown Campus.”

That email detailed the discovery of “a highly sophisticated and very difficult to detect cyberattack that has resulted in the theft of data from shared UMMS computers located at the University of Maryland Medical Center and the Frenkil Building.”

Other than acknowledging that data theft had occurred for an indeterminate period, the UMMC communique failed to notify employees whether their personal data had been accessed or if they had been spied upon in exam rooms or elsewhere, it’s claimed.

Victims are said to have learned of the alleged illicit observations when contacted by FBI investigators.

We are deeply disappointed and angered at the actions of the individual at the center of this criminal investigation

Following the October notification, UMMC is said to have placed Bathula on administrative leave and then to have terminated his employment. But it’s alleged that he was subsequently hired at a different medical facility that was not informed about the allegations.

Bathula could not be reached for comment. His Maryland State Board of Pharmacy license is currently active and he is not listed on the board’s formal disciplinary action page.

In a statement published to its website, UMMC wrote: “The actions alleged in this matter run counter to every single value we stand for. At every level of our organization, we are deeply disappointed and angered at the actions of the individual at the center of this criminal investigation.

“It’s our most sincere hope and expectation that the person alleged to have violated the trust of his colleagues and of our organization will be held accountable to the fullest extent of the law, which is why we have worked collaboratively over the past several months with the FBI and US Attorney’s Office who are engaged in an active criminal investigation.”

UMMC insists it is now working to better protect its IT systems and apologized to those affected by the scandal. ®