Former Maryland Pharmacist Indicted Over 8-Year Cyber Spying Campaign

Posted by Steve Alder

A former Maryland hospital pharmacist who is alleged to have engaged in a multi-year cyber spying campaign is facing up to 17 years in jail. Matthew Bathula, 41, of Clarksville, is alleged to have engaged in the spying campaign for more than 8 years between July 2016 and September 2024, during which time he intentionally accessed computers without authorization and used a range of cyber intrusion techniques to steal sensitive data, including installing keyloggers and cookie managers, file masquerading, and setting up mailbox rules to avoid detection.

According to the indictment, these techniques allowed Bathula to steal a range of sensitive data, including usernames, passwords, cookies, images, videos, and other sensitive data. The data obtained from his actions was used to spy on current and former employees, individuals in a relationship with current and former employees, and other individuals affiliated with his employer. Credentials were obtained for almost 200 victims, which were used to access their social media accounts, as well as Google Photos, Google Nest, iCloud Photos, dating apps, and Gmail and Microsoft 365 accounts. He also created mailbox rules to delete warning messages, such as Critical Security Alerts, to avoid detection. Since cookies were stolen, they allowed Bathula to maintain access to victims’ accounts on his personal devices that were not connected to his employer’s network.

Further, between February 2023 and July 2024, spyware was installed on one or more of his employer’s computers, allowing him to conduct video surveillance of people at work and record video content. That included accessing Internet-enabled cameras and using them to record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms. He is also alleged to have used stolen credentials to access the home security systems of his victims, which included using those systems to record video footage of women breastfeeding, interacting with young children, and engaging in sexual acts with their partners.

Bathula has been charged with two counts of unauthorized access to a protected computer and one count of aggravated identity theft while working as a pharmacy clinical specialist for Company A, a medical system located in the District of Maryland. “Bathula’s alleged actions are a reprehensible invasion of privacy. He betrayed the trust of his employer and co-workers, as he gained access into the private worlds of nearly 200 victims without their knowledge or consent,” Hayes said. “We, along with our law-enforcement partners, are committed to holding individuals accountable who commit cybersecurity crimes, thereby harming unsuspecting people.”

If found guilty, Bathula faces up to 10 years in jail for the unauthorized access to a protected computer at Company A, up to five years for unauthorized access to victims’ protected computers, and up to two years for aggravated identity theft. The aggravated identity theft sentence will be consecutive to any other sentence imposed.

While Company A was not named in the indictment, Bathula was employed by the University of Maryland Medical Center (UMMC) as a clinical pharmacist. At least six current and former employees have taken legal action against UMMC over Bathula’s actions. The lawsuit, which was reported on by The HIPAA Journal in April 2025, asserted claims for negligence, negligent supervision and retention, negligent security, and intrusion upon seclusion-invasion of privacy. The lawsuit seeks a jury trial, compensatory, exemplary, and punitive damages, litigation expenses and attorneys’ fees, and injunctive and declaratory relief.

The post Former Maryland Pharmacist Indicted Over 8-Year Cyber Spying Campaign appeared first on The HIPAA Journal.

Delta Dental Fined $2.25 Million Over 2023 MOVEit Transfer Hack

Posted by Steve Alder

Delta Dental Insurance and Delta Dental of New York (Delta Dental) have agreed to pay a fine of $2.25 million to the New York Department of Financial Services to settle alleged violations of New York cybersecurity regulations. The violations were discovered during an investigation of a 2023 hacking incident that affected almost 7.1 million of its customers.

The incident in question occurred over the Memorial Day weekend in 2023 and was detected by Delta Dental on June 1, 2023. A Russian-speaking cybercriminal group called Clop (aka Cl0p) exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer solution, accessed the solution between May 27 and May 30, 2023, and exfiltrated approximately 60,000 files. The group then demanded a ransom to prevent the publication of the stolen files.

By July 6, 2023, Delta Dental confirmed that a range of sensitive personal and protected health information had been stolen, including names, addresses, Social Security numbers, driver’s license numbers, financial account information, and health information. Delta Dental was one of around 2,700 companies to fall victim to the automated mass exploitation attacks.

Delta Dental Insurance, a dental insurance underwriter, and its subsidiary, Delta Dental of New York, were investigated by the New York Department of Financial Services after being notified about the data breach on December 15, 2023. The Department of Financial Services identified several violations of state laws, including the failure to provide timely notice about the data breach. Under N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17(a)(1), covered entities are required to notify the superintendent about a cybersecurity incident within 72 hours of discovery.

According to the consent order, Delta Dental did not implement and maintain a written policy addressing incident response, in breach of the New York Cybersecurity regulations for financial services companies – 23 NYCRR § 500.3(n), and did not have a written incident response plan that sufficiently addressed its reporting obligations to regulators, in violation of 500.16(b)(6). Further, Delta Dental did not implement policies and procedures for the secure disposal of data no longer required for business purposes, as required by § 500.13.

The investigation found that most of the data stolen in the attack had been on the server for more than 30 days. By default, MOVEit Transfer sets the data retention period as 30 days; however, Delta Dental had changed the retention period first to 45 days, and then to 60 days for many folders. Some folders had data retention settings disabled and there were no written policies regarding requesting, reviewing, or approving changes to the data retention settings.

Delta Dental is required to pay the financial penalty, although there are no corrective actions required by the order. Provided Delta Dental complies with the consent order, the New York Department of Financial Services will take no further action. “The Department’s nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers,” said Kaitlin Asrow, acting superintendent of the New York Department of Financial Services. “As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable.”

The post Delta Dental Fined $2.25 Million Over 2023 MOVEit Transfer Hack appeared first on The HIPAA Journal.

Urgent Action Required by MOVEit Automation Users

Posted by Steve Alder

Progress Software has issued a warning to customers about a critical authentication bypass vulnerability within the MOVEit Automation application. MOVEit Automation is a managed file transfer (MFT) that serves as a central automation orchestrator for scheduling and managing file transfer between different systems, including on-premises servers, cloud storage, and third-party partners.

Remotely exploitable vulnerabilities in Internet-facing MFT applications are targeted by threat actors. Certain threat groups such as Cl0p have actively targeted enterprise-grade MFTs, mass exploiting the vulnerabilities in attacks on dozens and, in some cases, thousands of users.

The critical authentication bypass vulnerability has a CVSS v3.1 base score of 9.8 out of 10 and is tracked as CVE-2026-4670 and can be exploited by a remote attacker with no privileges in a low-complexity attack. The vulnerability affects MOVEit Automation versions prior to 2025.1.5, 2025.0.9, and 2024.1.8.

A second high-severity privilege escalation vulnerability has also been identified. The flaw, tracked as CVE-2026-5174, is due to improper input validation and has a CVSS v3.1 base score of 8.8, and affects MOVEit Automation versions from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, and versions prior to 2024.0.0. The flaw can be exploited in a low complexity attack without privileges or user interaction.

Exploitation of these vulnerabilities could lead to unauthorized access to the application, and an attacker could gain administrative control and exfiltrate sensitive data. Progress Software has fixed both vulnerabilities in the latest version of the software, and users are advised to install the latest version as soon as possible to prevent exploitation. Progress Software said the only way to remediate the vulnerabilities is to upgrade to a patched release using the full installer. That will require the software to shut down to complete the upgrade.

There are around 1,440 internet-connected devices running vulnerable MOVEit Automation versions, according to a Shodan search, some of which are used by state and local government agencies. Given the extent to which vulnerabilities in MFT solutions are targeted, exploitation is highly likely, although at the time of the announcement, Progress Software had not identified any exploitation in the wild.

The post Urgent Action Required by MOVEit Automation Users appeared first on The HIPAA Journal.