Protected Whistleblower Disclosure

Legal Notice:

This archive reproduces evidence filed in Rojas v. Nuvem Health LLC, No. 1:25-cv-04684 (SDNY), under 28 U.S.C. § 1746.
Originally published on Nuvem.health, now hosted for continuity of public-interest record under federal whistleblower protection statutes.

All materials are non-commercial, redacted, and statutorily immune from liability under 18 U.S.C. § 1833(b).

My sworn account (with documents) of what happened in October 2023. I raised a security concern, filed a federal report, my bosses knew, and I was let go days later. Everything below is supported by the PDFs labeled Exhibits A–G.

What I was hired to do:
I was hired as a Cloud/Data Administrator to help protect patient data and maintain database systems.

What I saw:
An offshore SaaS  Madeira setup required a sysadmin “master-key” account—an all-access login to databases with patient information. That level of access is risky and not necessary for monitoring.

What I did (step-by-step):

• Oct 17 – I warned leadership in writing that the tool required a master-key account (Ex. A).
• Oct 19 (morning) – I was told to proceed with the sysadmin setup. I filed a HIPAA breach notice with HHS OCR to protect the company and patients (Ex. B) and told my VP I had filed (Ex. C).
• Oct 19 (afternoon) – My VP emailed asking me to send the HHS confirmation “for our files,” showing management knew about the federal filing the same day (Ex. D).
• Oct 19 (evening) → Oct 20 (morning) – I asked HR to archive my compliance objection in my personnel file; HR replied, “I will save this to your files.” (Ex. D).
• Oct 20 – The company’s IT admin agreed with my concern in texts (Ex. E).
• Oct 24 (morning of termination) – I was actively corresponding with leadership on the company’s security campaign—on time, professional, and working (Ex. F). I was then terminated, later described as “attendance.”

Why this matters:
This shows:

1. I did the job I was hired to do—protect patient data.
2. My bosses knew about my federal report.
3. I was let go days later.
4. The “attendance” reason doesn’t fit the timestamps and emails from that morning.

What I did not do:
I did not grant a master-key login to a third party. I proposed safer alternatives.

Legal protections (plain English):
U.S. law protects employees who report data-privacy risks in good faith. It’s illegal to punish someone for making such a report. (Sarbanes-Oxley §1514A; DTSA §1833(b) whistleblower immunity; NY Labor Law §740.)

Documents (Exhibits) – read them yourself:

• Exhibit A – Oct 17 email warning: “This is a ‘master key’.”
• Exhibit B – HHS OCR breach filing (official federal form).
• Exhibit C – Oct 19 email chain (I report, VP rebukes “not your place”).
• Exhibit D – VP asks for HHS confirmation “for our files”; HR: “I will save this to your files.”
• Exhibit E – Oct 20 texts with IT admin agreeing with my concern.
• Exhibit F – Oct 24 morning emails showing I was active and professional.
• Exhibit G – Console evidence confirming credential custody chain.

Redactions & purpose:
Sensitive tokens/IDs are redacted. Originals are preserved for regulators and the Court. This page is non-commercial and exists solely to keep an accurate, document-backed record.

Official record of the HIPAA breach report naming Nuvem Health LLC as Business Associate and identifying the “master key to our healthcare customers” risk. Demonstrates contemporaneous protected disclosure under federal law.

October 20 2023 texts confirm the sysadmin credential’s custody inside IT.

Rojas: “I’m the one that killed the Solar Winds provisioning yesterday.”

Ignatovich: “Lol that was my concern as well … We were on the same page for that.”

Corroborates that Rojas’s objection was compliance-aligned, not insubordinate.