Tumbleweed and Tunitas Group Partner To Offer Quick-Start Program For HIPAA-Compliant Secure E-mail

REDWOOD CITY, Calif.–(BUSINESS WIRE)–Sept. 15, 2003– Tumbleweed(r) Communications Corp. (NASDAQ:TMWD – News), a leading provider of mission-critical Internet communications software for enterprises, financial services organizations and government, announced today a strategic agreement with Tunitas Group, a healthcare consulting firm that helps clients plan and implement their electronic business and communications initiatives. Under this agreement, Tunitas Group will offer the HIPAA Accelerator for Secure Redirect(TM) to help Tumbleweed customers develop their enterprise-wide strategy for securing e-mail channels with covered entities, business associates, and plan members/patients.

Tumbleweed’s secure e-mail product, Tumbleweed Secure Redirect(TM), allows healthcare organizations to automatically identify, encrypt and deliver e-mail containing protected health information (PHI), regardless of what e-mail client users have on their desktops. The HIPAA Accelerator Program offers Tumbleweed Secure Redirect customers a practical, hands-on workshop for developing the policy and procedures that encapsulate the customer’s secure e-mail strategy and which unleash the power of Secure Redirect to securely communicate PHI.

“Secure e-mail policy can be quite complex for the typical healthcare organization due to the dynamic nature and the breadth of purpose for which patient information is shared with large numbers of healthcare trading partners, business associates, and professionals,” said Ann Geyer, Tunitas Group Healthcare Practice Partner. “The development cycle for establishing policy and standardized procedures is often lengthy causing deferred or incomplete implementations. The HIPAA Accelerator for Secure Redirect program is designed to shorten the implementation cycle, simplify the management of secure e-mail, and thereby maximize the organization’s Tumbleweed investment.”

Using a proven best-practices approach, Tunitas Group consultants work closely with the organization’s team, including privacy officers, security officers, e-mail administrators, medical records staff etc., to develop messaging policies and procedures for authentication, encryption, and disclosure management consistent with their HIPAA privacy and security compliance requirements.

The HIPAA Accelerator for Secure Redirect program includes the following activities:

— Review of existing e-mail policies, with recommendations to bring them into compliance with HIPAA privacy and security regulations, trading partner requirements, and patient/physician expectations

— Establish trading partners profiles describing their capabilities and requirements for secure communications

— Train client staff on procedures for translating organizational e-mail privacy and security policy into Tumbleweed configurations appropriate for the following technologies:

— Gateway-to-gateway S/MIME
— Gateway-to-desktop S/MIME
— Browser-based, password-protected Secure Envelope(TM)
— Browser-based, authenticated HTTPS delivery

— Establish procedures for responding to non-compliant messages from HIPAA covered entities or business associates

— Outline ongoing audit requirements

— Recommend Tumbleweed product configurations to support audit data collection requirements

— Develop recommendations for incorporating secure messaging requirements into trading partner and/or business associate agreements

— Prepare a flexible work plan to implement the exchange of secure messages, based on the policies, strategies, and procedures created during the workshop

“Many people do not realize that regular e-mail is not secure, and yet e-mail is becoming a mission-critical way to communicate with trading partners, physicians, patients, members and other covered entities,” said Dave Jevans, Senior Vice President of Marketing for Tumbleweed Communications. “We’re pleased to offer our customers the business and technical expertise that Tunitas Group brings to secure messaging and HIPAA compliance. Their years of experience guiding healthcare IT organizations will help our customers build out and manage the secure communications infrastructures that are so needed in the healthcare and insurance industries.”

About the Tumbleweed Secure Redirect

Tumbleweed Secure Redirect is server software that automatically secures and encrypts outbound enterprise e-mail based on company-defined security policies – without user intervention. Through intelligent, policy-based routing and encryption, Secure Redirect enables organizations to safely use e-mail to communicate with customers, partners, and suppliers by automatically applying the most appropriate security delivery method for each recipient. Secure Redirect offers numerous ways of delivering secure e-mail, including S/MIME encrypted e-mail, secure web delivery with e-mail notification, and Secure Envelope encrypted attachments. This multi-channel capability delivers the industry’s broadest set of secure delivery options to ensure ease of use and rapid adoption, regardless of what e-mail client users have on their desktops.

Tumbleweed Secure Redirect is based on Tumbleweed’s MMS e-mail firewall. The MMS e-mail firewall is rated by Information Security Magazine as the #1 e-mail firewall software for large enterprises, and is currently in use at over 400 of the largest, most demanding messaging infrastructures in the world. Tumbleweed MMS is an enterprise-class e-mail firewall for protecting, filtering and securing e-mail traffic at the Internet gateway. MMS manages the organization’s mission-critical e-mail stream with an integrated set of anti-spam, anti-virus, anti-hacker, content filtering, e-mail relay, and encrypted messaging capabilities – minimizing e-mail communications risks and reducing e-mail management costs.

About Tunitas Group

Tunitas Group specializes in electronic commerce, communications, and data exchange strategies for healthcare organizations. It offers a unique combination of operations, technology, security, and legal disciplines to assist healthcare organizations improve their internal systems and business processes to become more efficient electronic trading partners. Tunitas Group provides HIPAA privacy and security compliance assessment and remediation services to healthcare providers and health plans. The company takes an active role in healthcare compliance, technology, and standards initiatives. For more information about Tunitas Group, visit www.tunitas.com.

About Tumbleweed Communications Corp.

Tumbleweed is a leading provider of mission-critical Internet communications software products for enterprises, financial services organizations and government. By making Internet communications secure, reliable and automated, Tumbleweed’s e-mail firewall, secure file transfer, secure e-mail, and identity validation solutions help customers significantly reduce the cost of doing business. Tumbleweed products are used by millions of end-users and tens of thousands of corporations. Tumbleweed customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), Society for Worldwide Interbank Financial Telecommunication (SWIFT), St. Luke’s Episcopal Healthcare System, the US Food and Drug Administration, and the US Navy and Marine Corps. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, Calif. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

SAFE HARBOR STATEMENT

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the characteristics of Tumbleweed’s products and services, the potential benefits of those products in commercial healthcare use and potential sales of those products in the healthcare market. In some cases, forward-looking statements can be identified by terminology such as “may,” “will,” “should,” “potential,” “continue,” “expects,” “anticipates,” “intends,” “plans,” “believes,” “estimates,” and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed’s Annual Report on Form 10-K filed June 4, 2003, and Quarterly Report on Form 10-Q filed August 14, 2003.

Tumbleweed assumes no obligation to update information contained in this press release, which represents the Company’s expectations only as of the date of this release and should not be viewed as a statement about the Company’s expectations after such date. Although this release may remain available on the Company’s website or elsewhere, its continued availability does not indicate that the Company is reaffirming or confirming any of the information contained herein.