Tumbleweed Secure Guardian Helps Healthcare Organizations Meet HIPAA Information Security Requirements

Tumbleweed Provides a Comprehensive Security Framework to Enable Safe Exchange of Confidential Patient Data Over Email and the Internet

REDWOOD CITY, CA - March 26, 2002 - Tumbleweed® Communications Corp. (Nasdaq:TMWD), a leading provider of secure content management solutions for enabling the business Internet, offers a comprehensive set of solutions to healthcare payers and providers to help them protect patient data and comply with the information security requirements under the Healthcare Information Portability and Accountability Act (HIPAA). Tumbleweed Secure Guardian offers an open-standards security framework for online communications so healthcare and insurance companies can safely move paper-based processes to the Internet and reduce costs. In addition, Secure Guardian empowers companies to implement security policies enterprise-wide so they can ensure that confidential patient health information is protected as it travels within and outside the organization electronically.

"By 2003, healthcare organizations will transition to 'virtual' care networks, involving a wide range of independent but interconnected individuals and enterprises," said Lauri Ingram, Senior Program Director Insurance Information Strategies at META Group. "These virtual care networks will use conduits such as the Internet for a seamless and secure interface for interacting with one another. Payers and providers need to focus on security compliance now, and begin investing in security-based architectures that will enable them to meet impending deadlines."

The HIPAA security regulations and compliance dates are imminent. Both the privacy and security regulations define the standards by which healthcare organizations secure data and systems through the use of policy and technology. According to a recent report from the META Group, by the end of 2002, 75% of healthcare payers and providers will not be positioned to meet the security compliance requirements. Tumbleweed is working with a number of leading healthcare companies today to help them examine ways in which the Internet can be leveraged as a business tool while they implement a comprehensive policy-based security framework that incorporates industry standards to protect patient data and privacy.

Current healthcare providers using Tumbleweed Secure Guardian solutions today include a number of Blue Cross Blue Shield providers such as Health Care Service Corporation's Blue Cross and Blue Shield of Illinois division. Other leading providers using Tumbleweed solutions include Catholic Healthcare West and WellStar Health Systems. In addition, many insurance companies, such as Travelers and Mutual of Omaha, chose Tumbleweed solutions to protect their network environment, facilitate online business processes and implement content security for Internet-based communications.

Government entities, such as the U.S. Food & Drug Administration (FDA), are using Tumbleweed solutions to leverage the Internet and email for various business processes. The FDA's Center for Drug Evaluation and Research uses Tumbleweed solutions to create a secure email network with pharmaceutical companies for safe exchange of documents during the clinical drug trial process. This process was formerly either a paper-intensive process or could only be done over a proprietary network. "It is critical that healthcare companies take a holistic view of the organization and consider their business needs as they examine their extended network to determine where security gaps exist related to HIPAA requirements," said Michele Wrath, VP of Product Marketing at Tumbleweed Communications. "Our customers are turning to us to understand how they can use the power of the Internet and email to improve and streamline their business processes and communicate online with customers. Security is a critical necessity to not only ensure that regulations are met, but to provide optimal performance of systems and build customer trust."

Tumbleweed has a new white paper available that outlines the information security policy and technology guidelines under HIPAA. It discusses important considerations for both business and technology groups within healthcare and insurance organizations. Please visit our website at our health care section to request a copy of this paper.

About Tumbleweed
Tumbleweed is a leading provider of solutions for managing secure communication and collaboration to enable the business Internet. Tumbleweed's robust policy-based framework empowers organizations to safely share and protect critical information, increase customer loyalty and privacy and dramatically reduce costs. Tumbleweed is trusted by 1,000 blue-chip customers including American Express, Chevron, Datek Online, the European Union's Joint Research Council, First Union Wachovia, John Deere, Merrill Lynch, Nike, Northern Trust, NTT, Salomon Smith Barney, Travelers and US Food and Drug Administration. One hundred of the Fortune 500 are Tumbleweed customers. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, Calif., with offices around the world.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to Tumbleweed's customers, products, and future offerings. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed March 30, 2002 and Form 10-Q filed May 14, 2002. Tumbleweed assumes no obligation to update information contained in this press release.