TL;DR - netstat assigned the wrong application to the ports in use.
Basically, the netstat incorrectly identified rocket chat as the application using the ports and connection. In reality, it is a new screen capture program (that isn’t identified at all in netstat) that was sending the recorded screen footage to cloud storage via ssh. So, false alarm, people.
I’m still trying to figure out why the traffic was dependent on the rocket chat being up in an application or browser. It’s possible that the machine thinks that the capture software is integrated and is not capturing data when chat is not open. This would explain why the clients differ in the amount of SSH traffic each day, as well as some stations sending more data than others even though there is a user there for the same amount of time. Our users are not all using Rocket Chat at the same degree and some do not keep the application open all day, it seems. Still puzzling that one out.
Thanks everyone for the help!! And for he reminder to tell what happened. I hate not seeing the resolution when I’m searching forums like this.