Nearly 200 co‑workers and other individuals were allegedly spied on over an eight‑year period, federal prosecutors say.
Matthew Bathula indicted in Maryland
The U.S. Department of Justice announced that a federal grand jury has charged Matthew Bathula with two counts of unauthorized access to a protected computer and one count of aggravated identity theft while he worked as a pharmacy clinical specialist for "a medical system" in the district of Maryland. Federal prosecutors allege the intrusions occurred between July 2016 and September 2024.
The indictment does not name the healthcare organization. Separately, Bathula is the subject of a proposed civil class action filed last year in Baltimore against his former employer, the University of Maryland Medical Center, which makes overlapping allegations.
Techniques alleged: keylogging, cookie export/import, mailbox rules and spyware
Prosecutors say Bathula "weaponized" several technological tools to obtain and maintain access. The indictment alleges the use of keylogging software, cookie managers, creation of mailbox rules and file masquerading. According to the charging documents, Bathula's repeated exportation of browser cookies "allowed him to import cookies into an internet browser and access victims’ accounts on other devices without their authorization," enabling persistent access from outside the medical system's network.
Federal prosecutors also described a mailbox rule that "automatically deleted incoming emails with the subject heading Critical Security Alert," an action the indictment says "prevented Company A cybersecurity personnel from knowing their accounts were compromised." Between February 2023 and July 2024, prosecutors allege Bathula installed a spyware program on one or more of the medical center's computers and used it to conduct video surveillance of people on site.
Alleged targets and the data taken
The indictment and the related civil complaint identify a wide range of personal and professional accounts prosecutors say were accessed. Those services include Google Photos, iCloud Photos, Gmail, Microsoft 365 and social media platforms. The civil lawsuit alleges Bathula installed keylogging software on hundreds of computers and workstations located in "clinics, treatment rooms, labs and a variety of other locations throughout the UMMC campus."
According to the lawsuit, Bathula obtained coworkers' usernames and passwords for personal accounts—examples listed include home surveillance systems, Dropbox, dating applications and Google Nest—and then downloaded private photographs, videos and personally identifying information. The complaint further alleges Bathula used credentials to access webcams, "surveilled UMMC employees in real time in the privacy of their own homes and captured and recorded private and intimate moments with their spouses and families," and recorded victims without their consent, "including people engaged in breast pumping."
Legal exposure and official statements
If convicted on the charged counts, Bathula faces statutory maximums of up to 10 years in prison for unauthorized access to the medical center's protected computer, five years for unauthorized access to individual victims' protected computers, and a maximum of two years for aggravated identity theft. The Department of Justice noted that the aggravated identity theft sentence must run consecutive to any sentence imposed on the second count.
Kelly Hayes, attorney for the district of Maryland, called the conduct "a reprehensible invasion of privacy," saying Bathula "betrayed the trust of his employer and co‑workers, as he gained access into the private worlds of nearly 200 victims without their knowledge or consent." FBI Special Agent Jimmy Paul said, "Matthew Bathula is accused of weaponizing technology to spy on hundreds of unsuspecting victims for eight years."
An attorney for Bathula did not immediately respond to ISMG's request for comment on the indictment. An attorney representing plaintiffs in the lawsuit against the University of Maryland Medical Center also did not immediately respond to ISMG's requests for comment.
What this means for the University of Maryland Medical Center, cybersecurity teams, and affected employees
- University of Maryland Medical Center (UMMC): The civil class action filed in Baltimore names UMMC and alleges installations and data exfiltration across its campus; UMMC faces parallel civil scrutiny even as the criminal case proceeds against the former employee.
- Cybersecurity teams: The indictment highlights specific techniques — exported browser cookies, mailbox rules that delete "Critical Security Alert" messages, and local spyware installations — that defenders may need to monitor for and block within enterprise environments and incident response playbooks.
- Affected employees and patients: The complaints allege unauthorized access to intimate images, home surveillance feeds and webcam recordings, including recordings of breastfeeding, representing personal harms that extend beyond conventional data breaches and into direct invasions of privacy.
The criminal indictment and the pending civil suit together frame a rare — and, by the allegations, prolonged — case of internal abuse of access. Prosecutors have set out specific techniques and a long timeline; the courts will now weigh those allegations in criminal proceedings and in the class action. The record filed so far makes clear both the tools that investigators say were used and the personal scope of the alleged intrusions, leaving open the legal and operational consequences still to be determined by judges and juries.
