A former Maryland hospital pharmacist has been indicted for an alleged cyber spying campaign that prosecutors said lasted more than eight years and involved unauthorized access to computers, theft of credentials, and surveillance of nearly 200 victims.
Matthew Bathula, 41, of Clarksville, allegedly conducted the activity between July 2016 and September 2024 while employed as a pharmacy clinical specialist for a medical system identified in the indictment as Company A. Bathula was employed by the University of Maryland Medical Center as a clinical pharmacist.
The Allegations
According to the indictment, Bathula allegedly accessed computers without authorization and used multiple cyber intrusion techniques to obtain sensitive information. He used techniques, such as the use of keyloggers, cookie managers, file masquerading, and mailbox rules configured to avoid detection.
Bathula allegedly stole usernames, passwords, cookies, images, videos, and other sensitive information. Prosecutors alleged that the stolen data was used to monitor current and former employees, individuals connected to those employees, and other individuals affiliated with his employer.
The credentials associated with almost 200 victims were used to access social media accounts, Google Photos, Google Nest, iCloud Photos, dating applications, Gmail accounts, and Microsoft 365 accounts. Prosecutors also alleged that mailbox rules were created to remove warning notifications, including security alerts, from compromised accounts. Using stolen cookies, Bathula had continued access to victim accounts through his personal devices without requiring a connection to the employer’s network.
Between February 2023 and July 2024, prosecutors alleged that spyware was installed on one or more employer computers to enable workplace video surveillance and recording activities. The surveillance activity included the use of Internet-enabled cameras to record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms. Bathula also used stolen credentials to access victims’ home security systems and recorded footage including women breastfeeding, interacting with young children, and engaging in sexual activity with partners.
The Indictment
Bathula has been charged with two counts of unauthorized access to a protected computer and one count of aggravated identity theft. The approved source stated that, if convicted, Bathula faces up to 10 years in prison for unauthorized access to a protected computer at Company A, up to five years for unauthorized access to victims’ protected computers, and up to two years for aggravated identity theft. Any sentence related to aggravated identity theft would run consecutively to other imposed sentences.
At least six current and former employees filed legal claims against the University of Maryland Medical Center connected to Bathula’s alleged conduct and HIPAA violations. The lawsuit asserted claims that included negligence, negligent supervision and retention, negligent security, and intrusion upon seclusion-invasion of privacy. The plaintiffs requested a jury trial, compensatory damages, exemplary damages, punitive damages, litigation expenses, attorneys’ fees, and injunctive and declaratory relief.
A spokesperson for the University of Maryland Medical System stated that the organization remained disappointed and angered by Bathula’s alleged actions and expressed appreciation for the agencies involved in the investigation. The spokesperson also stated that the organization continued cooperating with law enforcement and supporting affected members of its community.
