Massachusetts Health Data Consortium Convening Internet Security Vendors To Work Towards Standardization

This press release was issued by the Massachusetts Health Data Consortium

BOSTON, MA - October 31, 2000 - Tumbleweed® Communications Corp. (Nasdaq:TMWD), The Massachusetts Health Data Consortium (http://www.mahealthdata.org), as part of a five-state, grant funded initiative called HealthKey, has begun working with a group of leading security vendors in an effort to win end-user confidence in the ability of Internet encryption products to work seamlessly with one another. The Consortium and the six vendors plan to demonstrate inter-operability and to produce a draft standard for secure Email transmission by April 2001. This initiative is a pro-active response to Federal regulations targeted for release later this year that will require healthcare organizations to assure the security of Emails that contain personally identifiable information.

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, mandates the standardization of healthcare administrative transactions, the security of electronic systems and networks, and the privacy of healthcare data. Healthcare organizations will have two years to comply with these requirements after the release of the final regulations. The Massachusetts Health Data Consortium initiative targets the secure transmission of private healthcare information by electronic mail over the Internet. Currently, the vast majority of Email that traverses the Internet is not technically protected in any way. For healthcare, in particular, this lack of security can lead to an unacceptable exposure of confidential information.

John Halamka, MD, Chief Medical Information Officer of CareGroup, a Boston-based Integrated Delivery System, says: "Federal regulations and the American public are demanding that the healthcare industry address the issues of data confidentiality and security. The software products offered by security technology vendors are based on the same standard - S/MIME. However, they use different methods to establish encrypted links and as a result their products often cannot talk to one another. Massachusetts is pro-actively taking the lead with these vendors to address the issue of inter-operability." Dr. Halamka is a member of the Affiliated Health Information Networks of New England, a project of the Massachusetts Health Data Consortium and executive sponsor of this initiative.

S/MIME (Secure/Multi-purpose Internet Mail Extensions) is the most widely available Email security standard. S/MIME requires an organization to issue a "digital certificate" to each Email user and for the user to store this certificate on their desktop computer. A digital certificate is like a passport or driver's license that contains a code that uniquely identifies the individual using the computer. Using these unique codes, individuals can encrypt and decrypt messages with their correspondents. However, for any organization which has individuals that come and go, issuing and revoking certificates and training new users has the potential to make the management of an S/MIME infrastructure complicated and potentially expensive.

The Massachusetts Health Data Consortium has identified six vendors offering products that can potentially simplify the transmission of secure Emails for an organization resulting in substantial cost savings. These solutions, based on extensions to S/MIME, rely on issuing organization-level rather than individual digital certificates. All Email traffic is then encrypted and decrypted at the "organizational border" rather than at the individual user's computer. The six vendors are Baltimore Technologies, Content Technologies (which was acquired by Baltimore Technologies on October 25, 2000), TenFour Email Security Solutions, Tumbleweed Communications, Vanguard Security Technologies, and Viasec, Ltd. The software solutions they offer have been labeled S/MIME Gateways.

Although have there have been some efforts among the six vendors to get their products to work together, inter-operability has not been pursued in an organized fashion. In the healthcare industry, there is a desire to explore S/MIME Gateways as a solution, but requirements vary among the various healthcare organizations. The goal of the Massachusetts HealthKey Project is to pursue full inter-operability among S/MIME Gateway products so that healthcare organizations can choose among the vendors' offerings based on their requirements and be confident that they can exchange encrypted Emails with other organizations using any one of the vendors' products.

The Massachusetts Health Data Consortium has established a workgroup of the six S/MIME Gateway vendors to develop this inter-operability. The workgroup plans on demonstrating inter-operability and having a draft standard available by April 2001. The vendors will work with the Secure E-Business Technology Center of Deloitte & Touche LLP to simulate a multi-organizational Email environment and demonstrate inter-operability.

This project is being undertaken as part of the second phase of a two-year $2.5 million grant from The Robert Wood Johnson Foundation (RWJF) to five state health information organizations. The RWJF grant, known as the HealthKey program (http://www.healthkey.org), is helping to fund pilot implementations of security technologies in the healthcare industry and to define best practices for protecting the privacy of individuals whose healthcare information is transmitted electronically. The HealthKey grantees in Massachusetts, Minnesota, North Carolina, Utah, and Washington hope to document the business and social implications of these security technologies and privacy practices for the healthcare industry.

In addition to the Massachusetts Health Data Consortium, the other four health information organizations receiving RWJF grant monies are Minnesota Health Data Institute, North Carolina Healthcare Information and Communications Alliance, Inc., Utah Health Information Network, and the Pacific Northwest-based Community Health Information Technology Alliance, which is a program of the Foundation for Health Care Quality in Seattle.

About the Robert Wood Johnson Foundation
The Robert Wood Johnson Foundation, based in Princeton, NJ, is the nation's largest philanthropy devoted exclusively to health and health care. It concentrates its grant making in three goal areas: to assure that all Americans have access to basic health care at reasonable cost; to improve care and support for people with chronic health conditions; and to reduce the personal, social and economic harm caused by substance abuse - tobacco, alcohol and illicit drugs. (See: http://www.rwjf.org).

About The Massachusetts Health Data Consortium
The Massachusetts Data Consortium was founded in 1978 by the state's major public and private healthcare organizations to serve as a neutral agency to collect, analyze and disseminate health care information. In 1995, Elliot M. Stone, the Consortium's CEO, helped found the Affiliated Health Information Networks of New England project, a collaborative effort currently consisting of the chief information officers of 25 healthcare organizations and 8 information technology companies/consultants. The mission of the Affiliated Networks is "to improve the region's health care information infrastructure by fostering the growth of a variety of health information networks, building on systems already in place, while encouraging collaboration and standardization among these networks." (See http://www.mahealthdata.org).

About the Minnesota Health Data Institute
The Institute is a non-profit public-private partnership established in 1993 by the Minnesota Legislature to support the information needs of consumers, purchasers, providers, plans and other stakeholders in measuring and improving the quality and efficiency of health care services in Minnesota. One of its programs is the Minnesota Center for Healthcare Electronic Commerce (MCHEC), the first independent education and resource center dedicate exclusively to promoting the use of electronic commerce within the health care industry. (See http://www.mhdi.org).

About the North Carolina Healthcare Information and Communications Alliance, Inc.
The North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA) is a nonprofit consortium of over 150 health care providers, health plans, professional associations, government agencies, health research and pharmaceutical companies, and vendors who collaborate to plan and implement standards-based technology to improve health care in the region. Formed in 1994 by Executive Order of Governor James B. Hunt, Jr. and under the leadership of executive director Holt Anderson, NCHICA has been very active in the development of model privacy legislation, secure Internet technologies and clinical applications that require the innovative application of technology and communications. (See http://www.nchica.org).

About the Utah Health Information Network
The Utah Health Information Network is a broad-based coalition of health care insurers, providers, and other interested parties, including State government. UHIN participants have come together for the common goal of reducing health care administrative costs through standardization of administrative health data and electronic commerce. UHIN operates as a centralized, secure information clearinghouse through which health care transactions are processed in Utah. (See http://www.uhin.com).

About the Community Health Information Technology Alliance
Based in the Pacific Northwest, CHITA is the Community Health Information Technology Alliance. Part of the non-profit Foundation for Health Care Quality, CHITA's purpose is to improve the effectiveness of the health system by expanding the use of electronic business in a manner that will serve and protect the consumers of health care and the members of CHITA. CHITA was founded in 1997 and membership includes hospitals and health care provider organizations, insurance companies and state agencies. (See http://www.chita.org).

About Baltimore Technologies
Baltimore Technologies employs over 800 people worldwide and operates from over 30 cities with headquarters in Dublin, Ireland; London, UK; Boston, USA and Sydney, Australia. Baltimore Technologies plc is a public company with dual listings on NASDAQ (BALT) and the London Stock Exchange (BLM). On October 25, Baltimore Technologies acquired Content Technologies, developers of the MIMEsweeper range of products and the market leader in content security solutions (http://www.contenttechnologies.comEm). On October 4, Baltimore Technologies announced its agreement to acquire Nevex, an innovator in policy-driven authorization technology for secure e-business deployments. For further information visit http://www.baltimore.com.

About Tumbleweed Communications Corp.
Tumbleweed is a leading provider of solutions for managing secure communication and collaboration to enable the business Internet. Tumbleweed's robust policy-based framework empowers organizations to safely share and protect critical information, increase customer loyalty and privacy and dramatically reduce costs. Tumbleweed is trusted by 1,000 blue-chip customers including American Express, Chevron, Datek Online, the European Union's Joint Research Council, First Union Wachovia, John Deere, Merrill Lynch, Nike, Northern Trust, NTT, Salomon Smith Barney, Travelers and US Food and Drug Administration. One hundred of the Fortune 500 are Tumbleweed customers. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, Calif., with offices around the world.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the security features of Tumbleweed's products and the activities of any third party. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed March 30, 2001 and Form 10-Q filed November 13, 2001. Tumbleweed assumes no obligation to update information contained in this press release.