Former University of Maryland hospital pharmacist indicted on identity theft, voyeurism

BALTIMORE, MD (WBFF) — A Maryland man is facing a federal indictment stemming from an unauthorized computer access scheme involving a Maryland medical system.

Matthew Bathula, 41, of Clarksville, is charged with two counts of unauthorized access to a protected computer, and one count of identity theft for crimes committed while he worked as a pharmacy clinical specialist at the University of Maryland hospital.

According to the indictment, between July 2016 and September 2024, Bathula intentionally accessed computers without authorization and obtained information from protected computers, including victims’ usernames, passwords, cookies, images, videos, and other data.

ALSO READ | Two teens arrested in armed moped carjackings in east Baltimore

Authorities said that Bathula also used various cyber intrusion techniques, such as keylogging, cookie managers, mailbox rule creation, and file masquerading to obtain access to personal and professional accounts of people who were current or former employees, in a relationship with a current or former employee, and other people affiliated with the company.

This allowed Bathula to access victims’ online services such as Google photos, iCloud photos, Gmail, Microsoft 365, and social media accounts.

Officials said that the mailbox rule Bathula created automatically deleted incoming emails with the subject heading “Critical Security Alert.”

This rule prevented the company cybersecurity personnel from knowing their accounts were compromised.

Authorities said that Bathula’s exportation of browser cookies allowed him to import those cookies into an internet browser, and access victims’ accounts on other devices without their authorization.

This enabled Bathula to maintain unauthorized access to victims’ accounts on his personal electronic devices from locations outside of the company’s network.

ALSO READ | Maryland man, woman arrested at Dulles after 57 pounds of marijuana seized

Between Feb. 2023 and through July 2024, officials said that Bathula installed a spyware software program on one or more of the company’s computers. That software allowed Bathula to conduct video surveillance of people present at the hospital, and record victims without their consents, including people engaged in breast pumping.

Bathula’s alleged actions are a reprehensible invasion of privacy. He betrayed the trust of his employer and co-workers, as he gained access into the private worlds of nearly 200 victims without their knowledge or consent,” Kelly O. Hayes, the U.S. Attorney for the District of Maryland said. “We, along with our law-enforcement partners, are committed to holding individuals accountable who commit cybersecurity crimes, thereby harming unsuspecting people.

“Matthew Bathula is accused of weaponizing technology to spy on hundreds of unsuspecting victims for eight years,” FBI Special Agent in Charge Jimmy Paul said. “I am proud of the swift and thorough response by FBI Baltimore’s team of investigators who handled this case with urgency, care, and sensitivity. They worked diligently to identify and notify each of the 195 victims, who are located around the country, in just four months. The FBI will always investigate, pursue, and hold accountable those who hide behind screens and keyboards to exploit and violate the privacy of others.”

If convicted, Bathula faces up to 10 years in federal prison for unauthorized access to a protected computer, five years for unauthorized access to a protected computer, and a maximum of tow years of aggravated identity theft. By statute, the aggravated identity theft must run consecutive to any sentence imposed.