From Tick-Box Training to a Program People Ask to Join

RelateCare is a healthcare technology company specializing in patient engagement and telehealth solutions, with teams serving healthcare organizations in the US, UK, and Ireland. Its services include virtual care management, appointment scheduling, and remote patient monitoring.

A large share of RelateCare’s workforce sits on the frontline of patient interactions, with roughly 70% of staff in patient-facing roles and 30% in support functions.

Because RelateCare handles patient health information across US and European markets, the business operates against two distinct regulatory regimes: HIPAA and PHI handling for the US-facing workforce, and GDPR for the UK and Ireland teams.

Before OutThink, RelateCare ran security training through a general-purpose LMS that was never built for security. The team uploaded their own PowerPoint content and ran it through the platform. “It was a very manual platform. Everything we showed was just our own generated content. It was all quite generic, not really tailored at all from a security point of view,” said Compliance Officer Joe Gallagher. Phishing simulations had only been introduced six or seven months earlier, run through the native phishing tool that came with the company’s email security suite. The two halves of the program sat in separate places.

The headline metrics were familiar: 90% completion across the workforce, 80% pass rate on the end-of-training assessment. The numbers satisfied external ISO auditors and showed up in quarterly exec reviews, but they weren’t generating the kind of analysis or follow-up the team needed. “The engagement would have been more of a tick-box exercise, certainly how it felt amongst the employee population,” Joe said. “There wasn’t really any analytics of the data, no follow-up on lessons learned.”

Risk visibility was equally thin. Asked who the highest-risk people in the organization were, the team’s answer was a role-based one, defined by access to sensitive data rather than by anything the program itself had observed. Repeat clickers from phishing simulations could be identified, but the visibility and feedback around them was limited.

The push to move came after a significant incident a couple of years ago. It led to a head-to-toe assessment of RelateCare’s operations and security posture, and awareness and training were identified as a weak point. That assessment prompted the review of RelateCare’s human risk management approach that ultimately led to OutThink.

What changed first was how training reached people. Instead of a single set of generic modules pushed at everyone on the same schedule, RelateCare started running content adapted to specific audiences, including the executive and senior leadership group, whose engagement with frontline-shaped training had historically been weak. “There are modules specifically for the executive suite that highlight their responsibilities for risk. That’s been a definite benefit,” Joe said.

The tailoring also tracks the regulatory reality of who’s serving whom. RelateCare’s US-facing agents handle PHI under HIPAA; the UK and Ireland teams operate under GDPR. The platform now distinguishes between the two and delivers each group the regulation that actually applies to their day-to-day. “We can specifically tailor the training so the American-facing agents have HIPAA training, whereas the UK Irish team would have more GDPR training. That’s another massive benefit, building the course out from the country,” Joe said.

The team also began using past incidents as raw material. After a series of finance-team spoofing attempts, RelateCare built phishing scenarios that replicated those real attacks and delivered them to the finance team specifically. When the quality team subsequently asked to be enrolled in additional phishing campaigns, it was the first time in Joe’s five years at the company that a department had voluntarily requested security training.

The way correction lands has changed too. When a user clicks a simulated phish, they’re enrolled into follow-up training while the context is fresh. “They’re completing training in real time where the context is still really fresh in their head. We’ve found that really helpful,” Joe said. Early on, the reaction from some employees was that simulations felt like an attempt to catch them out. That has shifted as the program has matured and people have come to read the simulations as a way to coach, not a way to trap.

The reporting picture has changed alongside this. In RelateCare’s first campaign with OutThink, 8% of users clicked the simulated phish and 17% reported it. In the latest campaign, the click rate has fallen to 1% and the reporting rate has climbed to 34%. Credential submission, where users actually surrendered information to the simulated attacker, has dropped from 2% to 1%. “When we first started issuing the simulations, it was very minimal, the amount of people opening it versus those reporting it. We’ve seen the reporting rate increase quite substantially in subsequent simulations,” Joe said.

For repeat clickers, the program now distinguishes between will and skill. Some users get coaching when feedback indicates a confidence issue; others get reinforcement on the specific procedure they’re missing. RelateCare has also formalized a disciplinary pathway for the rare case where repeated intervention doesn’t change behavior, a route the team can now take when residual risk would otherwise sit unaddressed.

Reaching a workforce that’s roughly 70% frontline and largely remote was always going to take more than email. The integration with Microsoft Teams, and OutThink’s Eva AI assistant in particular, has been one of the most practical changes for RelateCare’s day-to-day.

The shift has also given the exec team a more meaningful view. Where the program used to report two completion numbers up the chain, it now surfaces dashboards and AI-generated overviews of free-text feedback from across the workforce, a substantively different conversation about human risk than two KPIs allow.

There’s also been a cultural shift. From the initial assessment onward, the team picked up on something about how people at RelateCare were thinking about security.