Noncommercial evidentiary archive published under federal whistleblower immunity
(18 U.S.C. §1833(b), 18 U.S.C. §1514A, 15 U.S.C. §78u-6(h)).
No commercial activity or Mphasis trademarks, logos, or trade dress are used.

This archive presents sworn, court-filed evidence documenting how QBE and its technology vendor, Mphasis, mishandled a U.S. healthcare endpoint and later mischaracterized the disclosure of that lapse as “trade-secret” misuse.
The materials—now part of the public record in Mphasis Corp. v. Rojas, Case No. 1:25-cv-03175 (JMF)(OTW), S.D.N.Y.—trace a complete timeline: dual-use laptop → QBE silence → private-investigator contact → court-ordered return → federal authentication (ECF 480).
No proprietary or sealed data is published.
All content is protected by 18 U.S.C. § 1833(b) and § 1514A, provided solely for transparency, compliance oversight, and public accountability.

This archive summarizes sworn evidence filed under penalty of perjury in
Mphasis Corporation v. Rojas, Case No. 1:25-cv-03175 (JMF)(OTW), — U.S. District Court, Southern District of New York.
See ECF 480 – Declaration of Albert Rojas under 28 U.S.C. § 1746 for the complete record and authenticated exhibits.

Dual-Use Endpoint (Oct 2024):
Mphasis and QBE permitted the same QBE-issued laptop to bridge both corporate domains — violating HIPAA § 164.308(a)(4), SOC 2 CC6.x, and NIST CSF access-control standards. This is the governance gap I reported in London in October 2024.

Policy Lapse Trigger (Feb 2025):
An Mphasis Vice President emailed a 66-page QBE presentation (QBE.pptx) directly to my personal laptop and asked me to download and edit it. The download activity (“blinking lights”) showed exactly what I had warned about: work being routed off a managed endpoint. That VP email —not mine— originated the off-domain handling and confirmed the dual-endpoint risk I had disclosed.

Unmanaged Endpoint & Late Recovery (Dec 2024 → Apr 2025):
Meanwhile, the original QBE-issued laptop (the active endpoint) remained in my New York apartment awaiting a shipping label and return instructions that QBE failed to provide until the Court compelled issuance in April 2025. Only then did Mphasis hire a private investigator to retrieve the device — confirming loss of asset control.

All supporting emails, timelines, and correspondence appear in Exhibits A–D to ECF 480.

• The sworn record establishes corporate negligence and retaliation — not employee misconduct.
• The statement that I “refused to return the QBE laptop” (ECF 12 p. 20 ¶ 2) is contradicted by Plaintiff’s own filings and by contemporaneous evidence showing QBE’s delay in issuing return instructions.
• Pending motions under Rule 11(b)(3) and Rule 60(b)(3) seek only to correct the record and preserve accurate data-governance oversight.
   

Public statements in March 2024 characterized the QBE healthcare data breach as an act of “aggressive hacking.”
However, the sworn evidence before the Court points to internal control failures, not external intrusion.
The same unmanaged, cross-domain endpoint configuration documented in ECF 480 shows that QBE and Mphasis enabled dual access to regulated U.S. healthcare data from offshore systems, violating baseline access-segregation and audit-control requirements under HIPAA § 164.308(a)(4) and SOC 2 CC6.x.
The breach narrative focused on outsiders, but the root cause was insecure endpoint provisioning and untracked assets — a self-inflicted failure later replicated in this case.

When an offshore enterprise forgets an active U.S. endpoint, a breach is not a surprise — it is a foreseeable consequence. The sequence of events documented in ECF 480 suggests unresolved compliance gaps. Regulators may find grounds to consider requiring Mphasis and QBE to undergo an independent audit before continuing certain U.S. data-handling operations.

All materials are publicly available through the federal PACER/ECF system.
Direct reference: ECF 480 – Declaration of Albert Rojas under 28 U.S.C. § 1746 (S.D.N.Y.).

The federal record (ECF 14-25) includes a sworn declaration by licensed investigator Brad D. Kelly, L.P.I., retained by Mphasis to “facilitate the return of a company-provided laptop with sensitive data and data access.”
This investigator contacted me in April 2025—four months after my termination—to recover the QBE-issued laptop that had remained idle in my New York apartment, awaiting QBE’s shipping label since December 2024.

Rather than QBE’s asset-management or IT department issuing a standard return box to its warehouse, the company—through Mphasis—hired a private investigator to retrieve the device directly from my residence.
When QBE finally produced a return label in April 2025, it was addressed not to the asset-return facility but to a QBE vice president, bypassing the ordinary tracking process that would have generated an internal audit alert.

This sequence of actions suggests containment, not recovery: the goal was to minimize discovery of how a live, credentialed healthcare endpoint had been left unaccounted for over five months.
Had I not documented the issue on the whistleblower site after termination, the active endpoint would likely have remained forgotten.
The investigator’s affidavit in ECF 14-25, juxtaposed with QBE’s delayed label and Mphasis’s public filings, confirms that the laptop retrieval was a reactive attempt to shield QBE from audit exposure, not a normal asset-return procedure.

That intervention, executed outside standard IT chain-of-custody, stands as direct evidence of a containment effort to avoid triggering QBE’s own internal compliance audit.

This disclosure is a good-faith report under 18 U.S.C. § 1833(b) and 18 U.S.C. § 1514A, documenting verified compliance and data-governance failures already entered into the federal record.
Following internal reports of dual-use endpoints and unmanaged assets, Mphasis hired a private investigator to recover a QBE-issued laptop the companies had lost track of — underscoring the authenticity of the evidence and the gravity of the governance lapse.

No classified, sealed, or privileged information is disclosed.
All content is non-commercial and provided solely for transparency based on the authenticated court record (ECF 480).

Both ECF 14-38 and ECF 14-41 were filed by Mphasis counsel and reproduce technical materials first published in the Defendant’s whistleblower disclosures, confirming that the underlying data and correspondence are authentic and originate from Mphasis and QBE systems.

• October 2024 — Dual-Use Endpoint Identified
  While assigned to the QBE London project, Defendant documented that Mphasis and QBE engineers were accessing both corporate networks through the same QBE-issued laptop, violating HIPAA § 164.308(a)(4), SOC 2 CC6.x, and NIST CSF access-control standards. This dual-endpoint risk was the subject of the original whistleblower disclosure.
   
• December 2024 — Project Ends; QBE Goes Silent
  The QBE project concluded in December 2024. QBE instructed that the QBE-issued laptop—an active healthcare endpoint tied to Defendant’s name—be returned to New York. After acknowledging that direction, QBE issued no return box, label, or follow-up for more than four months, leaving a credentialed endpoint unmanaged and untracked inside the United States.
   
• February 2025 — Policy Lapse Confirmed
  Despite never providing a managed Mphasis laptop, an Mphasis Vice President emailed a 66-page QBE presentation (QBE.pptx) to Defendant’s personal computer for editing—routing regulated data off-domain and confirming the same control failure earlier reported.
   
• Early April 2025 — Private-Investigator Contact After Termination
  After months of silence from QBE and no return label ever issued, Mphasis hired a private investigator (ECF 14-25, Brad D. Kelly, L.P.I.) to collect a laptop it claimed as its own.
  I immediately clarified that the device was QBE property, assigned in my name, and that I was still waiting for official return instructions from QBE, as every company does for active endpoint accountability.
  In reality, the investigator’s visit served only to document Mphasis’s attempt to mask a QBE compliance failure as a laptop retrieval.
  The event did not close a gap—it proved one existed.
   
• April 2025 — Court-Ordered Return Label and Audit Bypass
  It ultimately took a court order to compel QBE to issue a return label. When issued, the label was addressed to a QBE Vice President rather than to the laptop-return facility, bypassing standard asset check-in procedures that would have triggered a five-month audit alert with U.S. regulatory bodies.
  No laptop owned by Mphasis was ever in Defendant’s possession—termination occurred with zero Mphasis-owned assets outstanding.
   
• April 2025 — Plaintiff’s Own Filings Verify Data Origin
  Mphasis then filed ECF 14-38 and ECF 14-41, reproducing the same technical materials first disclosed in the whistleblower reports, thereby confirming the data’s internal origin.
   
• October 2025 — Federal Authentication of Record
  Defendant submitted a sworn Declaration under 28 U.S.C. § 1746 (ECF 480), authenticating all underlying materials as protected whistleblower evidence under 18 U.S.C. §§ 1833(b), 1514A, thus closing the evidentiary chain from disclosure to docket.
   

This sequence—dual-endpoint discovery → QBE silence → policy lapse → post-termination investigator contact → court-ordered return → plaintiff refiling → sworn authentication—establishes a complete and verifiable chain of custody documenting systemic governance failure, not employee misconduct.

All cited filings are publicly available through the U.S. District Court (S.D.N.Y.) PACER/ECF system, in Mphasis Corp. v. Rojas, Case No. 1:25-cv-03175 (JMF)(OTW).