A pharmacist at the University of Maryland Medical Center installed spyware on hospital computers, allowing him to access intimate pictures and videos of medical personnel, according to a lawsuit filed last week against the medical system.

Matthew Bathula used the technology to remotely access webcams and “record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms,” according to the lawsuit, filed March 27. He was also able to access home security cameras to record similarly intimate moments “in the privacy of their homes,” the complaint said.

Bathula, who was not named as a defendant and has not been criminally charged, accessed his co-workers’ personal photo libraries and downloaded “their intimate photographs and personally-identifiable information,” the suit states. Bathula could not be reached for comment Thursday evening.

Six women are seeking damages from the medical system.

The spyware allowed Bathula to access at least 400 computers, according to the lawsuit. The hacking lasted for about 10 years, until the hospital sent an email to employees on Oct. 1, 2024, “vaguely referencing ‘a serious IT incident’ that may have impacted patients and team members at the University of Maryland Medical Center Downtown Campus,” the lawsuit states.

The women became alerted to the matter only after they were contacted by FBI investigators, who showed them “samplings” of the files Bathula had stored on his devices and servers, the lawsuit states.

Bathula had installed a keylogger, a type of malware that records keystrokes, on computers to gain the usernames and passwords of employees, said Cindy Morgan, an attorney representing the plaintiffs.

Then, he was able to “rifle through” his colleagues’ files in cloud storage and “actively surveyed” employees, Morgan said.

Bathula was placed on administrative leave and subsequently fired, the complaint says. But the lawsuit alleges that the University of Maryland Medical System did not take proper steps to protect employees from spyware that would lead to such a breach of privacy.

Medical system representatives released a statement on Thursday saying that the organization has been cooperating with the FBI and U.S. Attorney’s Office investigation for several months. The alleged spying “runs counter to every single value we stand for,” the statement reads in part.

“Healthcare organizations and the people who work in them have unfortunately in recent times become the victims of cyberattacks from threat actors, and we continue to take aggressive steps to protect our IT systems in this challenging environment,” the statement continued. “We understand the sensitivity of some of the information involved in this matter and extend our deepest regret and compassion to those affected by this individual’s actions.”

Have a news tip? Contact Dan Belson at dbelson@baltsun.com, 443-790-4827, on X as @DanBelson_ or on Signal as @danbels.62. Contact Baltimore Sun Public Safety Editor Frank Gluck at fgluck@baltsun.com.