ClickCease
Brown, LLC Secures Back-to-Back Nine-Figure Whistleblower Settlements — $950M (Raytheon) and $350M (Walgreens). Learn More... ×
Home Blog You Took Documents Showing Fraud. Now the Company Is Threatening to Sue

You Took Documents Showing Fraud. Now the Company Is Threatening to Sue

April 2, 2026
You Took Documents Showing Fraud. Now the Company Is Threatening to Sue

Table of Contents

What Whistleblowers Need to Know About HIPAA, Trade Secrets, and Federal Whistleblower Programs

When insiders see fraud, they often make the same mistake. They focus only on the fraud. They do not focus on how the evidence was handled. Then the company’s threat arrives: return all documents, preserve devices, cease disclosure, expect claims for confidentiality breaches, trade secret misuse, privacy violations, or worse. At that point, the case is no longer just about misconduct inside the company. It is also about whether the whistleblower preserved evidence in a way the law will protect.

That is why this issue is more important now, not less. Federal whistleblower channels keep expanding and becoming more specialized. Treasury and FinCEN have now moved to fully implement the AML whistleblower framework, while the SEC, CFTC, IRS, and False Claims Act each operate under different rules, deadlines, award structures, and confidentiality mechanics. A good whistleblower lawyer does not just “report fraud.” A good whistleblower lawyer chooses the right lane and prevents the evidence problem from swallowing the fraud case.

You Took Documents. Now What?”

Can a Whistleblower Take Documents to Prove Fraud?

Sometimes a narrow disclosure is protected. Sometimes it is not. There is no blanket rule that says a whistleblower may freely copy, forward, keep, or distribute company records just because the records show wrongdoing. Courts and statutes tend to ask narrower questions: How were the documents obtained? To whom were they given? Were they relevant? Was there a less intrusive way to preserve the evidence? Did special confidentiality rules apply?

Speak with the Lawyers at Brown, LLC Today!

Over 100 million in judgments and settlements trials in state and federal courts. We fight for maximum damage and results.

Report Fraud Online 877-561-0000

The Sixth Circuit’s decision in Niswander is a useful warning. The court said the analysis requires “careful balancing,” then listed factors such as how the documents were obtained, to whom they were produced, their relevance, the employer’s privacy policy, and whether the employee could have preserved the evidence without violating that policy. The court ultimately concluded the employee’s production of confidential documents was not reasonable under that framework.

But the facts can cut the other way when the conduct is limited and targeted. In Deltek v. DOL, the Fourth Circuit upheld protection on a narrow record where the employee forwarded only documents relevant to her whistleblowing reports, reasonably feared destruction, and acted to support her Sarbanes-Oxley allegations. The court distinguished cases involving “indiscriminate” misappropriation of proprietary material.

The practical point is simple: a whistleblower case gets much stronger when the evidence handling is disciplined. Mass downloading, broad forwarding, side-channel sharing, or keeping materials that are only loosely related to the misconduct can create avoidable problems. Focused preservation and controlled disclosure to counsel or the proper agency are much safer facts.

Can an Employer Sue a Whistleblower for Taking Confidential Documents?

Yes, employers do threaten that, and sometimes they do more than threaten. Trade secret law, confidentiality agreements, privacy obligations, and program-specific nondisclosure rules can all become part of the fight. That is exactly why “I had proof” is not enough. The proof still has to be handled correctly.

Federal trade secret law gives whistleblowers an important but limited safe harbor. Under 18 U.S.C. § 1833(b), a person is immune from civil or criminal liability under federal or state trade secret law for a disclosure made in confidence to a government official or an attorney, solely to report or investigate a suspected violation of law, or for a disclosure in a lawsuit filing made under seal. The same statute also allows use of trade secret information in an anti-retaliation lawsuit if the material is disclosed to the person’s attorney and filed under seal, with no further disclosure except by court order.

That protection is powerful, but it is not unlimited. The same statute expressly says that, except as provided there, nothing in the immunity provision authorizes or limits liability for conduct otherwise prohibited by law, “such as the unlawful access of material by unauthorized means.” That is one reason a quality whistleblower attorney matters so much. The attorney’s job is not only to assess the fraud. It is to keep the evidence path inside the protected channel.

What Is the HIPAA Whistleblower Exception?

This is where many healthcare insiders get bad advice.

HIPAA does not create an SEC-style bounty program. In healthcare matters, HIPAA is often relevant because it limits and shapes how protected health information can be disclosed, while the money-recovery vehicle may be something else, such as a False Claims Act case or another enforcement path. The key HIPAA rule is 45 C.F.R. § 164.502(j)(1). It says a covered entity is not considered to have violated the HIPAA Privacy Rule if a workforce member or business associate discloses protected health information when two conditions are met: first, the person has a good-faith belief that the covered entity engaged in unlawful conduct, violated professional or clinical standards, or created conditions potentially endangering patients, workers, or the public; second, the disclosure is made either to a health oversight agency, a public health authority, an appropriate accreditation organization, or to an attorney retained to determine the whistleblower’s legal options.

That exception is narrow. It is not a permission slip to blast patient records to coworkers, the press, social media, or anyone else outside the channels the regulation identifies. The safer reading is the obvious one: if PHI is involved, the disclosure must stay tightly confined to the recipients and purposes listed in the rule.

HHS also says anyone can file a HIPAA complaint with OCR, that complaints generally must be filed within 180 days of when the complainant knew of the conduct, and that HIPAA and Part 2 prohibit retaliation for filing a complaint. So for a healthcare insider, the right move is usually not “send the file everywhere.” The right move is: preserve the issue, route the matter through counsel, and use the narrow regulatory channels that actually exist.

HIPAA Whistleblower Exception Explained

Why Healthcare Whistleblowers Often Need Both HIPAA Analysis and Fraud Analysis

Many healthcare insiders think their case is “a HIPAA case” when it is really a fraud case with HIPAA complications. If the misconduct is false billing, medically unnecessary services, kickbacks, manipulation of coding, or fraud on Medicare or Medicaid, the False Claims Act may be the more powerful enforcement mechanism. DOJ’s False Claims Act materials explain that qui tam complaints are filed under seal, served on the government with a disclosure of material evidence, and investigated before the defendant is served. The relator may receive 15% to 25% of the proceeds if the government intervenes and 25% to 30% if it declines and the relator proceeds successfully. The FCA also protects employees, contractors, and agents from retaliation for lawful acts in furtherance of an FCA action or other efforts to stop violations.

That sealed structure matters. In a properly handled healthcare fraud case, counsel can often evaluate what evidence is needed, what should not be further copied, how PHI should be handled, whether OCR should be involved, and whether the stronger path is a sealed FCA filing instead of uncontrolled internal escalation.

Which whistleblower program applies to your case?

False Claims Act whistleblower cases

If the fraud involves federal money, the FCA is often the first program to examine. That includes many healthcare reimbursement schemes, grant fraud, procurement fraud, and other false claims to the government. The complaint must be filed under seal, and the relator’s share generally runs 15% to 25% if the government intervenes and 25% to 30% if it does not. The anti-retaliation provision protects lawful acts to pursue or stop FCA violations.

SEC whistleblower program

If the case involves securities fraud, accounting fraud, public company disclosures, market manipulation, or related federal securities law issues, the SEC program may be the right channel. The SEC says eligible whistleblowers can receive 10% to 30% of money collected when the information leads to an SEC enforcement action with more than $1 million in sanctions ordered. The SEC also states that Dodd-Frank retaliation protections require that the person have reported the possible securities law violation to the SEC in writing before the retaliation. And SEC Rule 21F-17 bars actions that impede reporting, including threatening to enforce confidentiality agreements against direct SEC communications.

That combination is important for search-intent reasons and for real cases. A severance agreement, NDA, or internal confidentiality policy is not the last word in an SEC matter. But that still does not mean indiscriminate copying is safe. It means the reporting path should be structured correctly.

CFTC whistleblower program

If the misconduct involves commodities, derivatives, spoofing, manipulation, or certain digital-asset conduct in the CFTC’s jurisdiction, the CFTC program belongs on the list. The agency says the program can pay 10% to 30% of what the CFTC collects when the whistleblower’s information leads to a successful enforcement action with monetary sanctions exceeding $1 million, and it provides confidentiality and anti-retaliation protections.

IRS whistleblower program

If the problem is tax fraud, offshore concealment, payroll tax evasion, abusive tax structures, or hidden taxable income, the IRS program is often the correct federal lane. The IRS says awards generally run 15% to 30% of proceeds collected from the noncompliant taxpayer. Its current overview also states that statutory awards are paid when the amount identified exceeds $2 million, and if the taxpayer is an individual, that person must have at least $200,000 in gross income. DOJ’s FCA primer separately notes that the False Claims Act does not apply to tax claims under the Internal Revenue Code, which is another reason proper program selection matters.

FinCEN / AML whistleblower program

If the case involves anti-money laundering failures, Bank Secrecy Act violations, sanctions evasion, IEEPA, TWEA, or related illicit finance conduct, the FinCEN program is now a major development. FinCEN says individuals may be eligible for awards when their information leads Treasury or DOJ to a successful enforcement action with monetary penalties over $1 million. Treasury’s new proposed rule would formalize the award and adjudication framework and provides for 10% to 30% of collected monetary penalties.

But AML evidence has its own traps. FinCEN states that financial institutions and their employees may not disclose to a person involved in the transaction that a SAR has been filed, and FinCEN guidance says institutions are generally prohibited from disclosing a SAR or information that would reveal the existence of a SAR. That means AML insiders, especially bank employees, need counsel who understands not only whistleblower law but also SAR confidentiality.

Why Retaining a Quality Whistleblower Attorney Matters More Than Ever

Because the legal issue is not just “Do you have proof?” The real issue is a bundle of narrower questions:

  1. Is the evidence relevant enough to justify the risk?
  2. Does a specific statute create a protected channel for disclosure?
  3. Does the material include PHI, trade secrets, or SAR-related information?
  4. Should the matter go through a sealed FCA filing, an SEC TCR, an IRS submission, an OCR complaint, or a FinCEN tip?
  5. Has retaliation already occurred, and if so, under which statute?

Those questions do not get answered correctly by generic employment-law advice. They get answered by counsel who knows the difference between a HIPAA whistleblower exception, DTSA sealed-use rules, SEC anti-impediment rules, FCA seal mechanics, and AML confidentiality restrictions.

The wrong response at the wrong moment can damage a strong case. So can the wrong silence. A good whistleblower attorney can often do three things at once: protect the evidence, protect the client, and protect the underlying claim. That is the point.

What Should You Do if Your Company Is Threatening to Sue After You Took Documents?

Stop collecting more material. Do not delete anything. Do not annotate, alter, or “clean up” files. Do not send anything to friends, family, reporters, or coworkers. Preserve the threat letter, your timeline, and what you already have. Then get program-specific whistleblower counsel before you respond. The safest next step is usually not another round of self-help. It is a controlled legal strategy.

In healthcare, that strategy may depend on the HIPAA whistleblower exception and whether the stronger fraud vehicle is a sealed FCA filing. In securities, it may depend on getting a proper written SEC submission on file. In AML, it may depend on avoiding a SAR-confidentiality problem while presenting the misconduct through FinCEN’s whistleblower channel. In tax matters, it may mean not forcing an FCA theory onto a case that belongs with the IRS.

Does HIPAA Let a Whistleblower Take Patient Records?

HIPAA has a narrow whistleblower exception. It can protect a disclosure of PHI by a workforce member or business associate who acts in good faith and discloses only to the limited recipients named in 45 C.F.R. § 164.502(j)(1), including an attorney or the proper oversight body. It is not a broad right to circulate patient records.

Can an NDA Stop Me From Reporting to the SEC?

Not lawfully, if the agreement impedes direct communication with the SEC about possible securities law violations. The SEC says Rule 21F-17 prohibits actions that impede reporting, including threatening to enforce confidentiality agreements with respect to those communications.

Is There a Federal Law That Protects Whistleblowers Who Disclose Trade Secrets to a Lawyer?

Yes, but it is limited. 18 U.S.C. § 1833(b) protects confidential disclosures of trade secrets to a government official or attorney solely to report or investigate a suspected violation of law, and also protects certain sealed court filings. It does not authorize otherwise unlawful access or broad disclosure.

Which Program Pays Whistleblowers in AML Cases?

FinCEN’s program is the key current AML / sanctions lane. FinCEN says eligible information can lead to awards when Treasury or DOJ obtains monetary penalties exceeding $1 million, and Treasury’s proposed rule would pay 10% to 30% of collected penalties.

Which program Pays Whistleblowers in Tax Cases?

The IRS program. The IRS says awards generally run 15% to 30% of proceeds collected, and its current overview states that statutory awards apply when the amount identified exceeds $2 million, with an additional income threshold for individual taxpayers.

Reviewed by

Jason T. Brown

Jason T. Brown

Head of the firm and a seasoned trial attorney with results nearing, if not exceeding, the billion-dollar mark. A former FBI Legal Advisor and Special Agent, Mr. Brown is dedicated to protecting whistleblowers and pursuing justice.

Categories