Maryland Man Indicted for Unauthorized Access to Medical System Computers

Federal prosecutors in Baltimore indicted Matthew Bathula, a 41-year-old Clarksville resident, on two counts of unauthorized access to a protected computer and one count of aggravated identity theft. The charges stem from his actions while employed as a pharmacy clinical specialist at Company A, a medical system in Maryland, according to the Justice Department release dated May 1, 2026.

The indictment affects Company A, which operates as a medical system providing healthcare services across Maryland. While the release does not specify the exact number of patients or records involved, unauthorized access to protected computers in a medical context typically impacts patient data privacy and system integrity, as defined under federal statutes protecting health information.

The charges indicate Bathula accessed the system without permission, leading to identity theft allegations.

Prior to the indictment, no federal charges existed against Bathula for these actions. Now, he faces prosecution in the U.S. District Court for the District of Maryland, with the aggravated identity theft charge carrying a mandatory minimum sentence of two years in prison if convicted, per 18 U.S.C. § 1028A.

The unauthorized access charges fall under 18 U.S.C. § 1030, which prohibits intentional access to protected computers without authorization. The case proceeds to arraignment and trial phases, with no specific dates announced in the release.

Conviction on these charges triggers several operational consequences. The Justice Department must present evidence in court, potentially including digital forensics from the medical system's servers. Company A will likely need to enhance its cybersecurity protocols to comply with federal health data regulations under the Health Insurance Portability and Accountability Act, which mandates safeguards for protected health information.

Prosecutors could seek restitution for any damages to the medical system, and the case may prompt audits by agencies like the Department of Health and Human Services to ensure broader compliance in Maryland's healthcare sector.

This indictment follows a pattern of federal enforcement against cyber intrusions in critical infrastructure, including healthcare. The Justice Department has pursued similar cases in recent years, such as indictments for hospital data breaches in other districts, reflecting ongoing efforts to deter unauthorized access under the Computer Fraud and Abuse Act, originally enacted in 1986 and amended multiple times to address evolving cyber threats.