Sublime has completely changed how we approach email security. We’ve seen fewer false positives, faster detection of sophisticated phishing attempts, and greater transparency and control than before. It feels less like managing another security tool and more like having an intelligent extension of our SOC.

Coronis Health
Coronis Health
Izhar Mujaddidi
CISO
Region
Americas
Industry
Healthcare
Protected Mailboxes
Size
Email Provider

Overview

Coronis Health is a leading revenue cycle management company serving healthcare providers across the United States. With nearly 10,000 employees across the U.S., India, and the Philippines, the organization handles high volumes of patient data, billing information, insurance claims, and financial communications every day.

Supporting that operation is a complex network of communications connecting employees, providers, insurers, patients, and third-party partners. As a HIPAA business associate processing PHI on behalf of healthcare providers, Coronis Health views email as one of its largest attack surfaces. An email-borne breach could carry significant legal, financial, and reputational consequences.

As phishing, business email compromise (BEC), and AI-generated social engineering campaigns became more sophisticated, the organization needed email protection that could keep pace.

When email became a top security priority

When Izhar Mujaddidi joined Coronis Health as CISO, he began by assessing the organization’s attack surface, existing controls, and where the security team was spending its time. That assessment quickly identified email as one of the organization’s highest-priority opportunities for reducing risk.

For an organization responsible for protecting patient, financial, and insurance data, as well as Personal Health Information (PHI), the stakes were high. The threat landscape was also changing fast. As Mujaddidi explains, “with the advent of AI, deepfakes, and increasingly sophisticated attacks, we can’t rely on traditional email protection mechanisms anymore.”

The security team was also spending significant time investigating suspicious email activity. Coronis Health needed a way to strengthen email defenses while allowing analysts to focus on higher-value security work.

Finding a more effective approach to email protection

As Coronis Health evaluated options, the team focused on three priorities: stronger protection, transparent detection logic, and minimal day-to-day involvement.

The goal was straightforward: reduce email risk. “We can educate people as much as we can, but we also have to provide the technology that protects those users.”

During the proof of concept, Sublime quickly identified sophisticated attacks that had previously gone undetected, helping expose gaps in coverage that existing controls had missed.

“We had a lot of tools,” Mujaddidi explained, “but they weren’t actually filling the gap we needed.”

Operational fit mattered just as much. With a lean security team, Coronis Health needed stronger protection without adding overhead. In practice, Mujaddidi says Sublime operates almost like a managed service.

Together, those capabilities helped Coronis Health build a business case centered on improved security outcomes and modernization.

Reducing workload while improving protection

Following a successful proof of concept, Coronis Health moved quickly into production.

Implementation was straightforward, and the team was fully operational within one week. A primary analyst was trained to oversee the platform, while automated workflows and ASA (Autonomous Security Analyst) streamlined investigation and response processes.

Before deploying Sublime, investigating suspicious email often required hours of work from analysts and infrastructure teams to trace threats, identify affected users, and determine whether incidents had spread across the environment. 

Today, with investigation and response largely automated, Coronis Health spends roughly one-tenth of the time investigating email threats, reducing investigation effort by approximately 90%.

Just as importantly, Coronis Health also saw a measurable reduction in false positives, allowing analysts to focus on meaningful threats rather than benign activity. The team gained greater visibility into why messages were flagged, helping analysts investigate threats more efficiently. 

Those improvements translated into stronger real-world outcomes. Coronis Health now blocks an average of 10 business email compromise attempts each month and has experienced zero successful BEC incidents over the past 16 months, giving the team greater confidence in its email defenses.

Staying ahead of evolving threats

As attackers continue to evolve their tactics, Coronis Health values defenses that can keep pace.

One recent example reinforced that need. Coronis Health’s legacy secure email gateway missed an AI-generated spear phishing campaign that used grammatically flawless language, referenced real internal project names gathered from public sources, and spoofed trusted identities.

Sublime identified every message within seconds of entering the environment, correlating signals across the campaign before any employee could interact with the messages. During Coronis Health’s first 90 days with Sublime, the platform blocked more than 1,800 threats that Mujaddidi says would have reached users’ inboxes with the organization’s previous solution.

For Mujaddidi, the incident reinforced why adaptability matters. As attacker tactics evolve, email defenses have to evolve with them.

Built for the future

Looking ahead, Coronis Health remains focused on protecting sensitive data while continuing to strengthen its security program. 

For Mujaddidi, the value of Sublime comes from its combination of transparency, strong protection, and reduced investigation effort.

The investment has delivered exactly what he set out to accomplish: reducing risk across one of the organization’s largest attack surfaces, giving the team greater confidence in its email defenses, and allowing a lean security team to stay focused on the work that matters most.

Have any questions or want a custom demo?
Get a demo