Blue Cross and Blue Shield of Kansas City Selects Tumbleweed’s E-Mail Firewall To Fight Spam, Block Viruses and Ensure HIPAA Compliance

Redwood City, CA – September 30, 2003 – Tumbleweed Communications Corp. (NASDAQ:TMWD), a leading provider of mission-critical Internet communications software for enterprises, financial services organizations and government, announced today that Blue Cross and Blue Shield of Kansas City has chosen Tumbleweed’s integrated e-mail firewall to fight spam, detect and kill computer viruses, and transparently secure e-mail communications with hospitals, brokers, physicians, and members. Tumbleweed has over 100 healthcare customers, including 19 Blue Cross Blue Shield organizations.

Blue Cross and Blue Shield of Kansas City (BCBSKC), with nearly 1,500 employees serving over 830,000 members across 32 counties in Northwest Missouri and Northeast Kansas, wanted to ensure the protection and privacy of patient data sent through e-mail. While the data security group was evaluating messaging security solutions for compliance with the Health Insurance Portability and Accountability Act (HIPAA), their network administrators were investigating ways to reduce spam, which had grown to be 50% of their total inbound e-mail volume. Each team independently realized that the best solution to their problem required content filtering of their e-mail stream to analyze messages and take specific actions based on the nature of the content, from recognizing and encrypting patient data to identifying and blocking unwanted or offensive messages. After comparing notes, the teams decided to bring together these two initiatives and look for an integrated e-mail firewall product that uses content filtering technology to deliver integrated anti-spam, anti-virus, and encrypted e-mail capabilities. The benefits of acquiring a single, best-of-breed solution include reduced administration costs and fewer points of failure in the company’s mission-critical e-mail stream.

After evaluating several products, Blue Cross and Blue Shield of Kansas City chose to acquire Tumbleweed MMST, an integrated e-mail firewall platform that includes the MMS Dynamic Anti-spam ServiceT to automate Spam filtering, and MMS Secure RedirectT to identify and selectively encrypt e-mail containing Protected Health Information (PHI).

“We had two related objectives – we wanted to proactively protect the privacy of nearly a million plan members, and we also wanted to protect our employees and network from offensive and time-wasting spam,” said Erich Bublitz, Senior Security Analyst for Blue Cross and Blue Shield of Kansas City, “Tumbleweed’s integrated e-mail firewall product gives us best-in-class capabilities in these areas, as well as gateway-based anti-virus protection. This allows us to avoid the costs and risks of having multiple, different, and sometimes immature point products in our e-mail environment, reducing our administration costs and minimizing points of failure.”

Fighting Spam with an E-mail Firewall
Blue Cross and Blue Shield of Kansas City estimates that 50% of the e-mail they receive is spam. This was becoming an increasingly significant business problem, as more and more network storage and bandwidth was eaten up, and as employees spent more and more time searching through their inboxes to find business related messages. In addition, the Human Resources and Legal organizations within BCBSKC were becoming concerned about potential legal liability if they did not take action to stop pornographic and other types of spam. This had also become an issue with high visibility with their CEO and CIO, who were concerned about the time and costs wasted by spam. The network administration team tasked with solving the problem wanted to find a best-in-class anti-spam solution that could capture 80%-90% of the spam coming into their organization, with a false positive rate of less than 1%. After evaluating the Tumbleweed MMS Dynamic Anti-spam Service for 2 weeks, they found that they were capturing 98% of the inbound spam, with a false positive rate of less than 1%. These results were so compelling that they decided to leave the evaluation system running in production, and acquired the software.

Encrypting E-mail with PHI is Just Good Business
BCBSKC must comply with the privacy and security regulations of HIPAA, which require health plans and hospitals to ensure the confidentiality and security of all electronic PHI. “Whether its required by HIPAA or not, encrypting e-mail that contains PHI is just good business practice” said Bublitz. “Our members trust us with very sensitive health-related information, and we must ensure that we don’t violate that trust. Encrypting e-mail provides us with an extra measure of security as it relates to HIPAA compliance.” BCBSKC put together a set of requirements for this secure messaging capability, including an ability to inspect each outbound e-mail to determine if it contains PHI, and the ability to encrypt and securely deliver the message to the recipient without the need for any client-side software. BCBSKC found that Tumbleweed’s MMS Secure Redirect product provides best-in-class secure messaging capabilities as part of an integrated e-mail firewall. The Privacy Office of BCBSKC is currently extending the HIPAA lexicon that ships with the Tumbleweed MMS product with an additional set of keywords and pattern matching rules that allow them to find BCBSKC member identifiers in an e-mail – for example, the member’s medical record number or social security number.

“E-mail is now a mission critical service for businesses. We are seeing more and more organizations like Blue Cross and Blue Shield of Kansas City looking to consolidate the many point products they have between their firewall and corporate mail servers,” said David Jevans, SVP Marketing for Tumbleweed Communications. “By investing in mature, integrated e-mail management technologies like Tumbleweed’s e-mail firewall, organizations can get the protection and security they need to do business over the Internet while ensuring the reliability and productivity of this critical resource.”

Tumbleweed MMS E-mail Firewall
Tumbleweed MMS has been recognized as the #1 enterprise software solution for fighting spam according to Network World (http://www.nwfusion.com/reviews/2003/0915spam.html), and the #1 e-mail firewall software for large enterprises by Information Security Magazine. MMS protects, filters and secures e-mail traffic at the Internet gateway with an integrated set of anti-spam, anti-virus, anti-hacker, content filtering, e-mail relay, and encrypted messaging capabilities — minimizing e-mail communications risks and reducing e-mail management costs. MMS is used by over 400 of the largest, most demanding messaging infrastructures in the world, and is available in both appliance and software editions.

Tumbleweed’s Dynamic Anti-spam Service (DAS) is an Internet-based subscription service that updates the Tumbleweed MMS e-mail firewall with new heuristic defenses as they are published, similar to the way anti-virus engines work. The e-mail firewall includes a highly effective Spam Analysis Engine, which automates the identification of spam using powerful heuristics-based analysis technology; typical customers see an immediate 90%+ capture rate with one-tenth of one percent false positive rate before tuning. Tumbleweed’s Message Protection Lab develops and publishes the heuristic updates: the Lab is staffed by experts who continually analyze spam to identify new spammer trends and tactics, and create and publish new heuristics to stop them. The Lab analyzes both spam and legitimate e-mail gathered internationally and provided by enterprise customers, to ensure that the Dynamic Anti-spam Service minimizes false positives in a business environment.

Tumbleweed MMS Secure Redirect automatically secures and encrypts outbound e-mail based on company-defined security policies — without user intervention. Through intelligent, policy-based routing and encryption, Secure Redirect enables organizations to safely use e-mail to communicate with customers, partners, and suppliers by automatically applying the most appropriate security delivery method for each recipient. Secure Redirect offers numerous ways of delivering secure e-mail, including S/MIME to the gateway or desktop, online web delivery with e-mail notification, and offline web delivery via Secure EnvelopeT. This represents the industry’s broadest set of proven secure delivery options, ensuring ease of use and rapid adoption, regardless of what e-mail client users have on their desktops.

About Blue Cross and Blue Shield of Kansas City
Blue Cross and Blue Shield of Kansas City is the largest provider of health plans in a 32-county area serving greater Kansas City and Northwest Missouri. The company offers a number of benefit programs that can be included in many group health plans for area employers. Blue Cross and Blue Shield of Kansas City is an independent licensee of the Blue Cross and Blue Shield Association.

About Tumbleweed Communications Corp.
Tumbleweed is a leading provider of mission-critical Internet communications software products for enterprises, financial services organizations and government. By making Internet communications secure, reliable and automated, Tumbleweed’s email firewall, secure file transfer, secure email, and identity validation solutions help customers significantly reduce the cost of doing business. Tumbleweed products are used millions of end-users and tens of thousands of corporations. Tumbleweed customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), Society for Worldwide Interbank Financial Telecommunication (SWIFT), St. Luke’s Episcopal Healthcare System, the US Food and Drug Administration, and the US Navy and Marine Corps. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, California. For additional information about Tumbleweed go to www.tumbleweed.com or call 650/216-2000.

SAFE HARBOR STATEMENT

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the benefits and characteristics of Tumbleweed’s products and services. In some cases, forward-looking statements can be identified by terminology such as “may,” “will,” “should,” “potential,” “continue,” “expects,” “anticipates,” “intends,” “plans,” “believes,” “estimates,” and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed’s Annual Report on Form 10-K filed June 4, 2003, and Quarterly Report on Form 10-Q filed August 14, 2003.

Tumbleweed assumes no obligation to update information contained in this press release, which represents the Company’s expectations only as of the date of this release and should not be viewed as a statement about the Company’s expectations after such date. Although this release may remain available on the Company’s website or elsewhere, its continued availability does not indicate that the Company is reaffirming or confirming any of the information contained herein.