Ellie Mental Health


Unmasking Shadow IT

Ellie Mental Health discovers Shadow IT across 100s of franchises

Ellie Mental Health is a leading provider of mental healthcare across the United States. Their mission is to compassionately transform the culture of mental health care by providing creative solutions that make wellness accessible in every community. Founded in 2015 as a behavioral health company operating in Minnesota and later on creating Ellie as a franchise model across the U.S, they expanded their offering rapidly over the years, recently featuring in Inc’s 2023, 5000 fastest growing companies.

The Challenge

Ellie operates in the Healthcare industry, meaning their franchisees handle PHI and as such are subject to HIPAA regulations. Due to Ellie operating a franchise model, it means that centrally managing IT is challenging. As such, it was critical to gain central visibility into SaaS application adoption due to the distributed workforce and multiple mini-businesses operating within Ellie.

The Solution

With Ploy, Ellie is able to gain complete visibility into all SaaS applications that employees and franchisees are signing up to. Whether this was through social login, SSO or email + pwd creation. Ploy is able to automatically triage riskier applications that might result in compliance risks, oversharing of sensitive data or third party supply chain breaches.

Part 1: Ensuring visibility for secure and compliant growth

Nick Milligan, Director of Information Technology at Ellie Mental Health was particularly concerned about Shadow IT and employees adopting SaaS. Over the past 20 years the cost of developing SaaS has reduced dramatically, as a result, a plethora of applications are now available to employees. Often operating freemium or “14 day free trial” go-to-market models, it has become easier than ever for employees to adopt SaaS without the IT team’s knowledge. It became critical for Nick to understand immediately when employees were signing up to applications and what they were being used for.

“Technology is everywhere. Cloud based applications are abundant. By offloading the on premise risk, we introduce a new set of risks associated with SaaS apps. Having Ploy has helped me sleep better at night knowing that there are multiple sets of eyes guarding our SaaS apps.”

Nick MIlligan Ellie mental Health
Nick Milligan
Director of IT

Part 2: Triaging supply chain risks quickly at scale

Shawn Fredrickson, VP of Information Technology knew that automation and triaging of risks were going to be important from any Shadow IT detection solution. Ploy is able to triage the highest risk application sign-ups by considering variables like:

  • Account creation mechanism (SSO vs email + pwd)
  • Category of SaaS
  • Types of data typically shared
  • OAuth access grants

Afterwhich, Ploy can be configured to automatically alert IT teams when these risks occur, so they can be investigated immediately. Alternatively, workflows can be configured to automatically ask employees questions via MS Teams or Slack to ascertain more information about the usage, data shared and reasons for signup.

“Ellie Mental Health has had over 300% headcount growth in the past 2 years. Having Ploy enables my team to identify our riskiest SaaS applications seconds after the risk has been identified. This level of visibility, automation and scalability is critical in ensuring we scale securely and continue to protect our customer’s.”

Shawn Elliemental health
Shawn Fredrickson
VP of Information Technology

Part 3: Identification of unused accounts

SaaS accounts can become stale and unused very quickly, this was something that worried Nick. If an employee has created Shadow IT and then leaves the business, it’s impossible for IT to understand that account’s existence without a tool like Ploy to identify this. This meant that Nick had complete peace of mind when offboarding employees, being able to see an extensive list of accounts created and authentication methods to ensure secure offboarding. 

Additionally, Ploy is able to automatically revoke OAuth token access to applications. So if an employee has not logged into an application for 90 days (for example), Ploy is able to sever the access so that application no longer has access to potentially sensitive data. Operating an automated security risk reduction model whilst scaling rapidly was critical for Nick and the Ellie team.

Ready to get started? Create an account today

Thanks for joining our newsletter.
Oops! Something went wrong while submitting the form.