Nuvem

Protected Whistleblower Disclosure

18 U.S.C. § 1833(b) (DTSA Immunity)–15 U.S.C. § 78u-6(h) (Dodd-Frank)–18 U.S.C. § 1514A (Sarbanes-Oxley)–N.Y. Lab. Law § 740

Legal Summary of Protected Disclosure, Retaliation, and Term

PHASE 1: Initial Disclosure and Termination (Oct 17, 2023 – Oct 24, 2023)

Between October 17 and October 24, 2023, Whistleblower engaged in a series of escalating internal and external whistleblower disclosures that centered on Nuvem Health’s planned provisioning of sysadmin-level database access to an offshore contractor, Madeira, via SolarWinds SQL Sentry.

Internal Disclosure Initiated (Oct 17): Whistleblower warned that SolarWinds required sysadmin-level access to system tables, describing it as a "master key" that would expose sensitive 340B patient data.
External Disclosure (Oct 19): With no internal resolution and after days of silence, Whistleblower submitted a formal breach report to the U.S. Department of Health and Human Services (HHS), initiating protected activity under HIPAA § 160.316, DTSA § 1833(b), and SOX/Dodd-Frank.
Retaliation Begins (Oct 19): Within hours, Nuvem leadership, including VP Luigi Squillante, rebuked Whistleblower for the HHS disclosure. Despite this, the IT team halted the Madeira project due to security concerns—validating Whistleblower's risk assessment.
Documentation and Acknowledgment: Whistleblower proposed multiple compliant technical alternatives, archived correspondence with HR, and received acknowledgment from Nuvem that his warnings were preserved in his personnel file.
Discriminatory Termination (Oct 24): Less than one week after the initial disclosure and three business days after the HHS filing, Whistleblower was summarily terminated. During the termination meeting, he was subjected to sexually inappropriate and age-based comments, reinforcing claims under Title VII, ADEA, NYCHRL, and NYSHRL.

Legal Relevance:

Causation is supported by close temporal proximity between disclosure and termination.
Retaliatory animus is evident in managerial emails and discriminatory remarks.
Multiple statutes were implicated: HIPAA, SOX §1514A, DTSA, Dodd-Frank §78u-6(h), and NYLL §740.
Whistleblower's technical recommendations and continued performance rebuts any claim of insubordination or poor conduct.

PHASE 2: Settlement, Retaliation, and Breach (Jan 21, 2025 – May 24, 2025)

In January 2025, Whistleblower executed a notarized agreement with Nuvem Health for a settlement payment. Despite this, Nuvem failed to fulfill conditions under the agreement due to its own inaction:

Good Faith Performance (Jan–Apr): Whistleblower attempted to coordinate domain and document handover, offering technical solutions and travel timelines. Nuvem failed to provide required access or facilitate the transfer.
Protected Disclosures Resume (May 6 & 15): Whistleblower filed renewed legal notices detailing Nuvem’s HIPAA violations and retaliatory conduct. These notices included a protected publication (https://nuvem.health) highlighting systemic security issues.
Retaliation & Conditional Payment (May 16): Nuvem, via its counsel, demanded Whistleblower take down the whistleblower website as a condition of receiving payment, in direct violation of whistleblower immunity statutes and the First Amendment.
Final Notice Issued (May 24): Whistleblower formally issued a pre-litigation demand citing material breach, retaliation, and statutory violations totaling $xxx in damages.

Legal Relevance:

Anticipatory Breach: Nuvem's failure to cooperate with domain and data transfer efforts constitutes breach.
Protected Activity: The May disclosures and whistleblower site are protected under HIPAA §160.316, DTSA §1833(b), SOX §1514A, Dodd-Frank §78u-6(h), and NYLL §740.
Retaliatory Withholding: Conditioning settlement payment on gagging lawful disclosures constitutes per se retaliation (Digital Realty Trust v. Somers, 138 S. Ct. 767 (2018)).
First Amendment Violation: Nuvem’s attempt to suppress public, truthful whistleblower content invokes constitutional protections.
Unenforceable Terms: Any settlement term that chills regulatory reporting is void as against public policy (EEOC v. Waffle House, Inc., 534 U.S. 279 (2002)).

Conclusion:

Taken together, the October 2023 disclosures and retaliatory termination, combined with the 2025 breach of settlement and renewed retaliation, establish a coherent timeline of protected activity followed by escalating employer misconduct. Whistleblower is entitled to relief under state and federal whistleblower statutes, discrimination law, and common law breach-of-contract doctrine.

Selected Exhibits

Does Whistleblower have a strong case? What can Nuvem rebut?

Yes, Whistleblower has a strong prima facie case for retaliation, breach of contract, and protected activity under federal and state statutes. The evidence shows:

✅ Strengths of Whistleblower’s Case

1. Protected Activity is Clearly Documented

Internal and external disclosures tied to sysadmin access and HIPAA risk (Oct 17–19, 2023).
Formal HHS complaint on Oct 19, 2023 (Exhibit: PDF timestamped).
Settlement negotiations and signed agreement in Jan 2025.
May 6 and May 15, 2025 renewed disclosures, including protected website publication (nuvem.health).

2. Causation and Temporal Proximity

Terminated one business day after protected HHS disclosure = classic causation indicator (see Clark Cty. Sch. Dist. v. Breeden).
Nuvem’s demand (May 16) to take down whistleblower site was made days after renewed disclosures (May 6, May 15), and made payment conditional—matching Digital Realty Trust v. Somers, 138 S. Ct. 767 (2018).

3. Statutory Immunity & Case Law

DTSA § 1833(b): protects disclosure of trade secrets to report violations.
SOX § 1514A, Dodd-Frank § 78u-6(h): prohibit retaliation tied to SEC/HIPAA-like disclosures.
HIPAA § 160.316: bars retaliation for regulatory reporting.
First Amendment: protects publication of factual information tied to public risk (Pickering v. Board of Ed.).

4. Contractual Breach

Nuvem’s refusal to provide access for domain transfer (condition precedent) and attempt to alter terms post-agreement = anticipatory repudiation and material breach.
The May 16 demand letter constitutes retaliatory conditioning, which is unenforceable under EEOC v. Waffle House, Inc., 534 U.S. 279 (2002).

5. Discrimination Claims Supported

Direct age-based and sexually inappropriate remarks documented during termination meeting (Oct 24, 2023).
Reinforces pretext for termination—especially where performance was strong and disclosures had been validated internally.

🔄 Potential Nuvem Rebuttals

1. “Performance-Based Termination”

Nuvem may argue Whistleblower was disruptive, insubordinate, or failed to follow internal channels.
✅ Counter: Contemporaneous HR filing, technical proposals, and third-party validation (e.g., Frattaroli halting access) show good faith.

2. “Breach of Confidentiality / Defamation”

Nuvem may claim whistleblower violated confidentiality or defamed the company via nuvem.health.
✅ Counter: DTSA, SOX, Dodd-Frank, HIPAA all immunize such protected disclosures. Truthful, documented speech tied to regulatory issues is not defamation.

3. “Settlement Conditions Were Not Met”

Nuvem may claim Whistleblower failed to complete domain/document handover.
✅ Counter: Emails show repeated efforts by Whistleblower to coordinate transfer. Nuvem’s failure to provide GoDaddy credentials or facilitate transfer = anticipatory breach.

4. “Website Harms Business Interests”

Nuvem could argue reputational harm or business interference.
✅ Counter: First Amendment and whistleblower immunity trump private discomfort when public health and statutory violations are involved.

📌 Conclusion

Whistleblower’s case is fact-rich, well-documented, and legally sound. Nuvem’s rebuttals are likely to fall flat against statutory immunity, strong documentary evidence, and clear retaliatory timing. The First Amendment and whistleblower protection doctrines—particularly under DTSA § 1833(b) and Digital Realty Trust—render Nuvem’s payment conditioning and takedown demand unlawful.

Selected Exhibit: Oct 17, 2023; This is a “master key”

Plaintiff warns Nuvem leadership of SolarWinds requiring a “master key” sysadmin account.

Sent: Tuesday, October 17, 2023 5:47 PM;

Subject: Solar Winds system access

Gents,

Solar Winds requires a database user that can access system tables to query database statistics. (This is a “master key” Solar Winds will have as you now.)

I was talking with Demetrios over lunch.

I look forward to reviewing our SQL-Server code for our eligibility process, learn more and help where I can, especially with our slowly changing dimensions (SCD Type 1 and 2) and Change Data Capture (CDC).

Kind Regards,

Albert

More technical notes…

Define what users can access and do in the SolarWinds Platform
- SQL permission role requirements on the SolarWinds Orion Platform
- Portal Security (solarwinds.com)

SQL Server has a system view sys.dm_os_performance_counters which I will put $ on Solar Winds is querying (think Oracle Statspack)

sys.dm_os_performance_counters" is equivalent to "being a Server admin or an Azure Active Directory admin"

https://github.com/microsoft/sqlworkshops-azuresqlworkshop/blob/master/azuresqlworkshop/04-Performance.md

Selected Exhibit: Oct 19-20, 2023; Plaintiff alerts Nuvem

Oct 19, 2023 2:11 pm Nuvem VP states; "Please send the confirmation you received from hhs.gov regarding the claim you submitted for our files."

Oct 19, 2023 2:45 pm Nuvem IT Ops states; "As of this morning, the DB Enhancment project with Madeira is on hold."

Oct 19, 2023 8:59 pm Plaintiff states: "Please archive this email with my folder. I think it's fair to say I helped protect Nuvem this week, my first week from a very close-call with our IT team executing a sanctioned activity, which was provisioning an administrator key yo our 2M+ 340b patient data with an offshore group."

Oct 19, 2023 10:47 pm Plaintiff states; "Thank you for sitting with me and explaining our "communication" policy.... I received no comminucation or ascknowledgment since Tuesday Oct 17th. Per policy, I submitted a potential breach notice with hhs.gov this morning, Oct 19. Exhbit [breach notice.pdf... I am proud to see that our IT department has put a hold with the Solar Winds engagment, protecting over 2M+ 340b clients and their PII information... My actions today saved Nuvem froma potential lawsuit giving access to PIII medical and finacnial data to an offshore operation which is against the law..."

Oct 20, 2203 6:07 pm Plaintiff states; "send me that 6 digit quick assist code?"
Nuvem IT (Joel Ignatovich) states; 728712 AQXPE8
Plaintiff states; "Good meeting you virtually. I appreciate the “process”. I’m the one that killed the Solar Winds provisioning yesterday. Nobody gets a sysadmin account on my watch"
Nuvem IT (Joel Ignatovich) states; "LoL that was my concern as well. We were on the same page for that. Pleasure meeting you virtually as well!"