University of Maryland Medical Center Faces Class Action Lawsuit Concerning Decade-Long Cyber-Spying Incident

Baltimore, MD (April 3, 2025) – Grant & Eisenhofer filed a class action complaint today on behalf of current and former University of Maryland Medical Center (UMMC) employees who are the victims of a decade-long cyber-voyeurism and cyber-stalking campaign perpetrated by a UMMC pharmacist.

The scope of the privacy violations the class members endured is extraordinary, if not unprecedented. The complaint details how the alleged perpetrator targeted about 80 of his co-workers, most of whom were young female pharmacists, residents and other medical professionals. Using passwords and usernames gleaned from UMMC computers, the perpetrator allegedly rifled through and accessed victims’ personal email, texts, photo libraries and private and sensitive electronically stored information. Among other things, he allegedly downloaded nude and partially nude photographs and recordings, photographs and recordings depicting victims breastfeeding their children, and other intimate private photographs and documents.

According to the complaint, the perpetrator actively spied on his targets using internet-enabled cameras within UMMC and in the victims’ homes. He allegedly activated cameras in patient treatment rooms to monitor and record co-workers he knew to be pumping breastmilk at work and remotely accessed home security cameras to spy on victims in their homes, recording those victims in various stages of undress, in private family interactions, and having sex with their husbands.

“Our clients are highly skilled professional women who trusted their employer to protect their privacy. By enabling a co-worker to so intrusively invade their few precious private moments with family, friends and nursing newborn babies, UMMC fundamentally violated that trust,” said Cindy B. Morgan, a Grant & Eisenhofer attorney representing the plaintiffs.

Almost as shocking as the conduct itself is the degree to which it was only possible because of the complete breakdown in UMMC’s cybersecurity protocols. The perpetrator’s scheme was not sophisticated. He allegedly used readily available spyware of which cybersecurity professionals are well aware. The complaint details how he accessed 400 UMMC computers in locations throughout the hospital campuses over the course of a decade.

Every medical provider is required to institute safeguards to protect electronically stored patient information against many kinds of cyber threats. As a leading teaching and research hospital with thousands of employees, UMMC is held to an even higher standard. But UMMC failed to meet even the most basic standards that apply to any medical provider maintaining protected electronic health records. If followed, any one of these protocols would have prevented the perpetrator from installing the spyware, blocked the remote transmissions that allowed him to capture confidential information, and immediately alerted UMMC’s cybersecurity personnel of his activity. That no UMMC cybersecurity protocol blocked or revealed the conduct for so long is baffling.

“That a healthcare professional so profoundly violated the privacy of young women engaged in cutting edge lifesaving work is reprehensible. But that he did it by exploiting the lack of any meaningful safeguards in the computer systems of one of the country’s top hospitals is simply outrageous,” said lead counsel for Plaintiffs, Elizabeth Graham, the head of Grant & Eisenhofer’s Complex and Mass Tort litigation practice.

UMMC has known about the misconduct since at least September 2024. But the only victims who have been told anything about whether they were specifically targeted and what was taken from them are those interviewed by the FBI. To date, no criminal charges have been filed against the perpetrator. Although UMMC allegedly terminated him, the complaint alleges that he still works as a pharmacist at another Maryland facility. Moreover, UMMC has revealed nothing about the status of any investigation into its institutional security failures that led to this heinous invasion. “While our clients fully intend to respect and cooperate in the federal investigation, they filed this complaint to ensure the perpetrator is immediately prevented from harming any patients and/or additional colleagues, all of his victims are informed and offered a chance to seek justice, and UMMC is held fully accountable,” said Steven J. Kelly, a Baltimore-based Grant & Eisenhofer Principal whose practice is focused on representing crime victims in civil and criminal proceedings.

This lawsuit is intended to ensure that all victims will have the opportunity to seek justice. If you or someone you know has been impacted, please contact Grant & Eisenhofer.

###

Contacts:

Steven J. Kelly
This email address is being protected from spambots. You need JavaScript enabled to view it.
443-791-1886

Cynthia B. Morgan
This email address is being protected from spambots. You need JavaScript enabled to view it.
302-652-9975