Mphasis & QBE The Next Applied - Data Governance Failures and Retaliation
This archive constitutes a good-faith disclosure under 18 U.S.C. § 1833(b)
Reports offshore handling of U.S. regulated data in breach of compliance controls.
Mphasis & QBE The Next Applied - Data Governance Failures and Retaliation
Reports offshore handling of U.S. regulated data in breach of compliance controls.
This archive presents sworn, court-filed evidence documenting how QBE and its technology vendor, Mphasis, mishandled a U.S. healthcare endpoint and later mischaracterized the disclosure of that lapse as “trade-secret” misuse.
The materials—now part of the public record in Mphasis Corp. v. Rojas, Case No. 1:25-cv-03175 (JMF)(OTW), S.D.N.Y.—trace a complete timeline: dual-use laptop → QBE silence → private-investigator contact → court-ordered return → federal authentication (ECF 480).
No proprietary or sealed data is published.
All content is protected by 18 U.S.C. § 1833(b) and § 1514A, provided solely for transparency, compliance oversight, and public accountability.
This archive summarizes sworn evidence filed under penalty of perjury in
Mphasis Corporation v. Rojas, Case No. 1:25-cv-03175 (JMF)(OTW), — U.S. District Court, Southern District of New York.
See ECF 480 – Declaration of Albert Rojas under 28 U.S.C. § 1746 for the complete record and authenticated exhibits.
Dual-Use Endpoint (Oct 2024):
Mphasis and QBE permitted the same QBE-issued laptop to bridge both corporate domains — violating HIPAA § 164.308(a)(4), SOC 2 CC6.x, and NIST CSF access-control standards. This is the governance gap I reported in London in October 2024.
Policy Lapse Trigger (Feb 2025):
An Mphasis Vice President emailed a 66-page QBE presentation (QBE.pptx) directly to my personal laptop and asked me to download and edit it. The download activity (“blinking lights”) showed exactly what I had warned about: work being routed off a managed endpoint. That VP email —not mine— originated the off-domain handling and confirmed the dual-endpoint risk I had disclosed.
Unmanaged Endpoint & Late Recovery (Dec 2024 → Apr 2025):
Meanwhile, the original QBE-issued laptop (the active endpoint) remained in my New York apartment awaiting a shipping label and return instructions that QBE failed to provide until the Court compelled issuance in April 2025. Only then did Mphasis hire a private investigator to retrieve the device — confirming loss of asset control.
All supporting emails, timelines, and correspondence appear in Exhibits A–D to ECF 480.
Public statements in March 2024 characterized the QBE healthcare data breach as an act of “aggressive hacking.”
However, the sworn evidence before the Court points to internal control failures, not external intrusion.
The same unmanaged, cross-domain endpoint configuration documented in ECF 480 shows that QBE and Mphasis enabled dual access to regulated U.S. healthcare data from offshore systems, violating baseline access-segregation and audit-control requirements under HIPAA § 164.308(a)(4) and SOC 2 CC6.x.
The breach narrative focused on outsiders, but the root cause was insecure endpoint provisioning and untracked assets — a self-inflicted failure later replicated in this case.
When an offshore enterprise forgets an active U.S. endpoint, a breach is not a surprise — it is a foreseeable consequence. That pattern of unmanaged access is why this pro se defendant has urged the Court to require a full U.S.-based compliance audit and to suspend data-handling privileges for Mphasis and QBE until they demonstrate remediation under accredited U.S. oversight (NIST / HITRUST / SOC 2 Type II).
All materials are publicly available through the federal PACER/ECF system.
Direct reference: ECF 480 – Declaration of Albert Rojas under 28 U.S.C. § 1746 (S.D.N.Y.).
The federal record (ECF 14-25) includes a sworn declaration by licensed investigator Brad D. Kelly, L.P.I., retained by Mphasis to “facilitate the return of a company-provided laptop with sensitive data and data access.”
This investigator contacted me in April 2025—four months after my termination—to recover the QBE-issued laptop that had remained idle in my New York apartment, awaiting QBE’s shipping label since December 2024.
Rather than QBE’s asset-management or IT department issuing a standard return box to its warehouse, the company—through Mphasis—hired a private investigator to retrieve the device directly from my residence.
When QBE finally produced a return label in April 2025, it was addressed not to the asset-return facility but to a QBE vice president, bypassing the ordinary tracking process that would have generated an internal audit alert.
This sequence of actions suggests containment, not recovery: the goal was to minimize discovery of how a live, credentialed healthcare endpoint had been left unaccounted for over five months.
Had I not documented the issue on the whistleblower site after termination, the active endpoint would likely have remained forgotten.
The investigator’s affidavit in ECF 14-25, juxtaposed with QBE’s delayed label and Mphasis’s public filings, confirms that the laptop retrieval was a reactive attempt to shield QBE from audit exposure, not a normal asset-return procedure.
That intervention, executed outside standard IT chain-of-custody, stands as direct evidence of a containment effort to avoid triggering QBE’s own internal compliance audit.
This disclosure is a good-faith report under 18 U.S.C. § 1833(b) and 18 U.S.C. § 1514A, documenting verified compliance and data-governance failures already entered into the federal record.
Following internal reports of dual-use endpoints and unmanaged assets, Mphasis hired a private investigator to recover a QBE-issued laptop the companies had lost track of — underscoring the authenticity of the evidence and the gravity of the governance lapse.
No classified, sealed, or privileged information is disclosed.
All content is non-commercial and provided solely for transparency based on the authenticated court record (ECF 480).
Both ECF 14-38 and ECF 14-41 were filed by Mphasis counsel and reproduce technical materials first published in the Defendant’s whistleblower disclosures, confirming that the underlying data and correspondence are authentic and originate from Mphasis and QBE systems.
This sequence—dual-endpoint discovery → QBE silence → policy lapse → post-termination investigator contact → court-ordered return → plaintiff refiling → sworn authentication—establishes a complete and verifiable chain of custody documenting systemic governance failure, not employee misconduct.
All cited filings are publicly available through the U.S. District Court (S.D.N.Y.) PACER/ECF system, in Mphasis Corp. v. Rojas, Case No. 1:25-cv-03175 (JMF)(OTW).
ECF 12 — The Misstatement that Sparked the Sanctions Order
Description:
Filed by Mphasis counsel in April 2025, ECF 12 contains the false claim that “Defendant refused to return the QBE-issued laptop to Mphasis as directed by QBE.”
That assertion became the factual predicate for later sanctions and summary-judgment briefing.
Subsequent sworn filings (ECF 14-41 & 480) prove no return directive existed before April 29 2025, and that QBE—not the Defendant—lost control of its own endpoint.
ECF 14-38 — The Internal Emails Showing Policy Breakdown
Description:
This exhibit set reproduces Mphasis’s internal correspondence admitting that engineers were required to use the same QBE-issued laptop across both corporate domains—violating HIPAA § 164.308(a)(4), SOC 2 CC6.x, and NIST CSF PR.AC controls.
The emails corroborate Defendant’s whistleblower disclosures and confirm that secure infrastructure was never provided.
Mphasis hired a private investigator in a post-termination attempt to contain, rather than correct, a QBE compliance lapse.
ECF 480 — Sworn Federal Declaration Authenticating the Evidence
Description:
Docketed October 29 2025, ECF 480 is the Declaration of Albert Rojas under 28 U.S.C. § 1746.
It authenticates Exhibits A–D confirming dual-use endpoints, unmanaged QBE devices, and Mphasis’s post-incident decision to hire a private investigator to recover the laptop it had misplaced.
This filing transforms the prior record into sworn evidence—closing the factual gap identified by the Court and anchoring the whistleblower disclosures in the federal docket.
Protected Disclosure Notice:
This archive constitutes a good-faith disclosure under 18 U.S.C. § 1833(b) and 18 U.S.C. § 1514A.
It reports suspected violations of U.S. data-privacy, compliance, and audit-control laws by entities processing regulated U.S. data from offshore environments.
No classified, sealed, or privileged material is disclosed.