FOR IMMEDIATE RELEASE

Whistleblower Exposes Operational Negligence Behind QBE’s 2024 Data Breach — Not a Cyberattack, But a Governance Failure

New York, NY — A new whistleblower disclosure challenges the narrative surrounding the 2024 healthcare data breach involving QBE and its contractor, Mphasis. Contrary to public claims of a sophisticated cyberattack, the breach appears to have been caused by internal policy failures, poor endpoint governance, and a breakdown in basic security hygiene.

The whistleblower—currently a defendant in Mphasis Corporation v. Defendant, Case No. 25-cv-3175 (SDNY)—has published protected testimony and technical documentation at:

• https://qbe.world
• https://mphasis.cloud
   

“This wasn’t a hack. It was an avoidable breach enabled by negligence,” said Defendant, the whistleblower and former contractor. “No device lifecycle tracking. No endpoint separation. I was directed to operate both QBE and Mphasis systems from a single, QBE-issued laptop—without ever being provisioned a secure Mphasis endpoint.”
 

While Mphasis markets its Cyber Defense Services as capable of rapid digital forensics, the breach was not the result of external compromise. Instead, the whistleblower alleges that warnings about insecure infrastructure went unheeded, critical policies were bypassed, and the compromised laptop remained unreturned and unaudited for over five months after his termination.

“You don’t lose patient data because of hackers—you lose it because internal controls collapse and no one intervenes,” Defendant added. “Mphasis’s own post-incident report admitted gaps in security controls. But those ‘gaps’ were flagged long before the breach. They were ignored.”
 

The disclosures cite protections under the Defend Trade Secrets Act (18 U.S.C. § 1833(b)), Sarbanes-Oxley, Dodd-Frank, N.Y. Labor Law § 740, and the First Amendment. All evidence is submitted under penalty of perjury pursuant to 28 U.S.C. § 1746.

These sites serve as public interest archives, intended for use by regulators, patients, and investigative journalists. They include detailed timelines, internal communications, and evidence of retaliation that followed the whistleblower’s protected disclosures.

QBE’s breach is the outcome of a pattern—not a one-off mistake. Internal controls are weak by design. Leased laptops were never tracked. Policies were enforced inconsistently. And whistleblowers—like me—were silenced instead of supported.

Background:
Despite being assigned mission-critical deliverables across regulated clients including QBE, Charles Schwab, and Lucid Motors, Defendant was never issued an Mphasis-managed device. Instead, Mphasis management—including individuals in its HR, Risk, and CRO offices—explicitly directed Defendant to complete work using his personal laptop and a QBE-issued endpoint. This violated both companies’ own security policies and federal data protection standards.

1. Mphasis Failed to Provision Infrastructure.
   • Defendant repeatedly requested a company-issued laptop through official channels, incident tickets, and direct appeals to management (e.g., Borkar, Ruturaj, Shannon).
   • Defendant warned that using the QBE laptop to access Mphasis systems was non-compliant and created cross-domain risk.
   • Mphasis never provisioned a secure endpoint.
      

1. Defendant Flagged Security Vulnerabilities in Real Time.
   • In communications dated March 12–13, 2025, Defendant informed Mphasis that downloading QBE and Lucid Motors PowerPoints to his personal Mac was unavoidable due to the company’s failure to provide tools.
   • Defendant explicitly noted that such activity would trigger a Data Loss Prevention (DLP) alert—a risk Mphasis created through neglect.
      

1. Mphasis Retaliated by Initiating a Sham DLP Investigation.
   • After Defendant complied with directives to edit client presentations on his personal machine, Mphasis initiated a DLP investigation against him.
   • This investigation ignored root causes—Mphasis’s refusal to provision equipment—and focused solely on retaliating against the whistleblower.
      

1. Mphasis Shielded Management From Accountability.
   • Defendant’s efforts to escalate concerns to the Chief Risk Office (CRO) were blocked by HR (Shannon Mostafazadeh), who attempted to narrow the scope of inquiry, remove recipients from threads, and discourage transparency.
   • Instead of investigating why Defendant was never provisioned a laptop, Mphasis leadership launched a pretextual misconduct narrative.
      

1. Retaliation Includes Sudden Reassignment and Lockout.
   • Defendant was abruptly removed from the Charles Schwab engagement, despite being the only domain expert with technical delivery knowledge.
   • Account access was revoked midweek while active deliverables were pending—further disrupting client outcomes and punishing lawful internal disclosure.
      

• Whistleblower Retaliation:
  Mphasis's actions constitute retaliation under:
  • 18 U.S.C. § 1833(b) – DTSA Whistleblower Immunity
  • 18 U.S.C. § 1514A – Sarbanes-Oxley Act
  • 15 U.S.C. § 78u-6(h) – Dodd-Frank Act
  • N.Y. Lab. Law § 740 – New York Whistleblower Protection Law
     
• Constructive Discharge and Discrimination:
  Defendant’s removal from client-facing projects—while younger, less qualified employees remained—further evidences a discriminatory pattern in violation of:
  • Title VII of the Civil Rights Act
  • Age Discrimination in Employment Act (ADEA)
  • NYSHRL / NYCHRL (State and NYC Human Rights Laws)
     
• Failure to Comply With ISMS & Endpoint Policy:
  Defendant, founder of NIST.ai, repeatedly flagged Mphasis's noncompliance with basic cybersecurity controls. Rather than resolve the issue, Mphasis:
  • Ignored the ISMS policy it claimed to enforce
  • Permitted data to flow through ungoverned endpoints
  • Then weaponized that failure against the whistleblower
     

Mphasis manufactured a “potential DLP violation” as cover for a more dangerous reality: the company systematically ignored endpoint compliance, exposed sensitive client data, and retaliated against a domain expert who documented the risk.

These actions are not only unethical—they are actionable under federal and state law.

As a former technical contributor to QBE’s infrastructure modernization and document intelligence efforts, I witnessed firsthand how endpoint mismanagement, policy conflicts, and ignored internal warnings led to one of the most avoidable healthcare data breaches in recent memory.

• Optimization Demo (Legal NDA Platform): Documented fixes to a broken NDA document processing pipeline. Demonstrated in this live technical demo.
• Legal NDA Logic Remediation: Contributions were acknowledged internally and referenced in Jira tickets long after my departure.

I raised these issues formally—through internal channels and directly with legal and compliance stakeholders. The warnings went unheeded. Instead, I was terminated abroad, without ever being provided a proper return protocol for the QBE device. The same unmanaged device was later cited as part of the breach vector.

Outsourcing Without Oversight:
QBE partners with Indian offshore vendors that routinely operate with elevated privileges, zero physical verification, and a culture of "make it work, no questions asked." The breached data was never properly protected because it was never properly governed. Leased machines, shipped across borders, were never audited. Virtual sessions with sensitive U.S. healthcare data were accessed from remote regions where HIPAA and U.S. cyberlaw have no practical reach.

The Data Exposed:
This breach affected data that included:

• Protected Health Information (PHI)
• Personally Identifiable Information (PII)
• Financial transaction data tied to HSA, FSA, and COBRA accounts
• Employee IDs, birthdates, and Social Security numbers

Disclaimer: Protected Legal Submission

This site contains content directly related to the pending matter Mphasis Corporation v. Defendant, Case No. 25-cv-3175 (JMF), before the United States District Court for the Southern District of New York.

All materials are presented in furtherance of a constitutionally protected and statutorily authorized whistleblower defense. They include sworn declarations, factual assertions, legal arguments, and evidence submitted by the undersigned, appearing pro se.

These disclosures are expressly protected under:

• 18 U.S.C. § 1833(b) – Defend Trade Secrets Act (Whistleblower Immunity)
• 18 U.S.C. § 1514A – Sarbanes-Oxley Act (SOX)
• 15 U.S.C. § 78u-6(h) – Dodd-Frank Act (SEC Whistleblower)
• N.Y. Lab. Law § 740 – New York Whistleblower Protection Law

No information herein was obtained through unauthorized access or improper means. All content is submitted in good faith to expose and document systemic compliance failures and risks to public interest, consistent with applicable law.

This site is not affiliated with or endorsed by QBE || Mphasis. All trademarks are used under nominative fair use and for the purpose of whistleblower reporting and public interest disclosure.