This noncommercial evidentiary archive is published under the whistleblower-immunity and anti-retaliation protections of:

• 18 U.S.C. §1833(b) — Defend Trade Secrets Act (DTSA) Whistleblower Immunity 
• 18 U.S.C. §1514A — Sarbanes–Oxley Act (SOX) Anti-Retaliation
• 15 U.S.C. §78u-6(h) — Dodd-Frank Act Anti-Retaliation
• 45 C.F.R. §160.316 — HIPAA Anti-Retaliation Rule
• N.Y. Lab. Law §740 — New York Whistleblower Protection Act 

No Nuvem trademarks, logos, or trade dress are used.
No commercial activity is conducted.

Under these statutes, the disclosure of cybersecurity risks, data-privacy concerns, and related compliance evidence is expressly immune from liability, non-commercial, and protected, even if an employer disagrees. Federal law also safeguards post-employment disclosures, including the publication of evidence necessary to explain or substantiate a protected report.

This archive presents sworn, timestamped documents showing that within five days:

1. I warned management of a sysadmin “master-key” risk.
2. I filed a HIPAA breach notice with HHS OCR.
3. Executives and HR acknowledged the federal filing in writing.
4. The IT administrator corroborated the risk.
5. I was terminated, despite being active and engaged that morning.

Every document—emails, text messages, HHS filings, and console screenshots—appears exactly as submitted under federal whistleblower-immunity statutes. The documents speak for themselves.

This archive contains only primary-source materials, including:

• sworn declarations and federal court filings from Rojas v. Nuvem Health LLC 
• contemporaneous internal emails
• contemporaneous text messages
• the official HHS OCR breach-notification filing
• redacted administrative-console screenshots confirming credential custody

There is no commentary, speculation, or opinion.
There are no trade secrets or non-public proprietary materials.
Every document reproduced here already exists in the legal and regulatory record.
This is a neutral evidentiary preservation site, not an adversarial presentation.

All materials appear exactly as originally transmitted, filed, or timestamped, with only minimal redactions applied for security (e.g., credential strings, remote-assist codes, personal contact information).

Timestamp and metadata consistency is preserved across:

• internal corporate emails
• internal text messages
• HHS OCR federal filings
• HR communications
• administrative-console credential-custody records 

Each exhibit is maintained under 28 U.S.C. §1746, ensuring authenticity and evidentiary integrity.
No document has been edited, rewritten, or reformatted for narrative effect.

The chronological alignment—spanning less than 72 hours from the first internal warning to the termination—forms the continuous evidentiary chain presented on this page.

This archive contains facts, not interpretations, arguments, or conclusions.
The documents speak for themselves.

This is my sworn account—supported entirely by the documents labeled Exhibits A–G—of what occurred in October 2023. I identified a security risk, filed a federal report, management acknowledged that report in writing, and I was terminated days later.

I was hired as a Cloud/Data Administrator to safeguard patient data and maintain production database systems.

The offshore vendor (Madeira) required a sysadmin “master-key” account—a level of access that exposes all patient data and is not necessary for monitoring. This type of access is widely recognized as a major cybersecurity and HIPAA risk.

Oct 17 — Warned leadership in writing that the tool required a sysadmin “master key.” (Ex. A)
Oct 19 (morning) — Told to proceed with provisioning the sysadmin key. Filed a HIPAA breach notice with HHS OCR to protect patients and the company. Management was notified. (Ex. B, Ex. C)
Oct 19 (afternoon) — VP requested the HHS confirmation “for our files,” proving same-day knowledge of the federal filing. (Ex. D)
Oct 19 evening → Oct 20 morning — Asked HR to archive my compliance objection. HR replied: “I will save this to your files.” (Ex. D)
Oct 20 — Nuvem’s IT administrator confirmed he shared the same concern about the sysadmin key. (Ex. E)
Oct 24 (morning of termination) — I was actively engaged with leadership on a security campaign—on time, professional, and working. (Ex. F) I was terminated shortly afterward.

The exhibits show a tight, 72-hour timeline that courts routinely identify as classic retaliation:

1. Internal warning about sysadmin “master-key” risk (Oct 17).
2. Federal HHS OCR breach report filed (Oct 19, 9:43 AM).
3. VP acknowledgment of the federal filing (Oct 19, 2:11 PM).
4. HR archives the disclosure into the personnel file (Oct 20, 8:32 AM).
5. IT administrator corroborates the risk (Oct 20).
6. Employee active and performing job duties hours before termination (Oct 24, 8:18 AM).
7. Termination follows within days.

Courts repeatedly hold that the sequence protected disclosure → employer knowledge → adverse action is enough to establish a retaliation claim at the pleading and summary-judgment stages.

Based on the documentary record, the sequence of events raises compliance issues that regulators may find appropriate to review independently.
This page does not assert misconduct as a matter of law; it presents primary-source documents so regulators, auditors, and courts may evaluate the facts directly.

I did not grant a master-key login to any third party.
I proposed safe alternatives that avoided elevated access.

• Preserve primary-source evidence already filed with federal regulators and the U.S. District Court.
• Present contemporaneous emails, texts, and filings exactly as they occurred.
• Provide statutory context explaining why these disclosures are protected by law.
• Assist regulators, auditors, investigators, and courts in reviewing the underlying facts. 

• Assert legal conclusions, fault, or intent.
• Demand or recommend enforcement action.
• Contain trade secrets or non-public proprietary materials.
• Display Nuvem’s trademarks, logos, or trade dress.
• Engage in commercial activity of any kind. 

This page is purely evidentiary and educational, enabling proper authorities—if they choose—to review the all-original documents.

Robinson v. Shell Oil Co., 519 U.S. 337 (1997) — Retaliation protections extend to post-employment acts, including misuse of legal process, threats, and reputational harm.

• Gorman-Bakos v. Cornell Coop. Extension, 252 F.3d 545 (2d Cir. 2001)
  → Short timing between disclosure and termination strongly supports causation.
• Kessler v. Westchester Cty. Dep’t of Soc. Servs., 461 F.3d 199 (2d Cir. 2006)
  → Employer knowledge is satisfied when management or HR receives the report 
• Zann Kwan v. Andalex, 737 F.3d 834 (2d Cir. 2013)
  → Post-employment acts can constitute unlawful retaliation.
   

Under 18 U.S.C. §1833(b):

“An individual shall not be held criminally or civilly liable
for disclosing information in a complaint or to a government agency.”

SOX §1514A and Dodd-Frank §78u-6(h) protect:

• internal disclosures,
• disclosures to federal regulators,
• isclosures based on reasonable belief,
• disclosures even if an employer insists it is “not a breach.”
   

45 C.F.R. §160.316 prohibits employers from punishing any individual for filing a report with HHS regarding improper access or data-handling risk.

• Ex. A — Oct 17 email warning: “This is a master key.”
• Ex. B — HHS OCR breach filing (official federal form).
• Ex. C — Oct 19 internal email chain; VP rebukes: “Not your place.”
• Ex. D — VP requests HHS confirmation; HR: “I will save this to your files.”
• Ex. E — Oct 20 texts: IT admin agrees with risk concerns.
• Ex. F — Oct 24 morning emails proving active work on day of termination.
• Ex. G — Console screenshot verifying sysadmin key custody chain.
   

Security-sensitive items (e.g., credential strings, remote-assist codes) are redacted. All originals are preserved for lawful regulators and the Court.
This page is noncommercial and exists solely to maintain an accurate, document-backed record.

Official record of the HIPAA breach report naming Nuvem Health LLC as Business Associate and identifying the “master key to our healthcare customers” risk. Demonstrates contemporaneous protected disclosure under federal law.

October 20 2023 texts confirm the sysadmin credential’s custody inside IT.

Rojas: “I’m the one that killed the Solar Winds provisioning yesterday.”

Ignatovich: “Lol that was my concern as well … We were on the same page for that.”

Corroborates that Rojas’s objection was compliance-aligned, not insubordinate.

Unofficial Whistleblower Archive • Noncommercial • No Affiliation with Nuvem  

Published pursuant to federal and state whistleblower-protection statutes:  

18 U.S.C. §1833(b) (DTSA Whistleblower Immunity) ·  

18 U.S.C. §1514A (Sarbanes–Oxley Anti-Retaliation) ·  

15 U.S.C. §78u-6(h) (Dodd-Frank Anti-Retaliation) ·  

45 C.F.R. §160.316 (HIPAA Anti-Retaliation) ·  

N.Y. Lab. Law §740 (Retaliatory Discharge Prohibited).  

All materials are publicly filed evidence in Rojas v. Nuvem Health LLC, No. 1:25-cv-04684 (SDNY),  

reproduced under 28 U.S.C. §1746 solely for regulatory, judicial, and public-interest review.

No proprietary logos, stylized marks, or trade dress of Nuvem are displayed.  

No advertising, commercial solicitations, or monetization of any kind.

This archive is legally protected speech.  

Any attempt to suppress, conceal, or retaliate against this disclosure is prohibited by federal law.