This healthcare provider defends concurrent user compliance case study shows how an inflated Citrix audit claim collapsed once the buyer measured what concurrent licensing actually means. It is an anonymised composite built from real engagements. The organisation is described by sector, region, and approximate scale only, with no named client or confidential detail disclosed.
Situation
The client was a multi site healthcare provider running Citrix to deliver clinical applications across hospitals and outpatient sites. The estate was licensed on a concurrent user model, chosen years earlier precisely because clinical work is shift based and the same workstation serves different staff across a day. Roughly 9,000 named accounts existed across the organisation, but at any single moment only a fraction were in active sessions. With perpetual licensing eliminated in October 2022 and the estate on subscription, the provider had recently been asked to verify its compliance position, and the vendor's review arrived framed as a routine confirmation rather than the audit it effectively was.
Challenge
The compliance claim counted total provisioned accounts as though every one represented a license in use at the same time. That approach ignored the defining feature of a concurrent user license, which is consumed by a simultaneous session rather than by a named individual. By counting accounts instead of peak concurrency, the audit overstated the licensed requirement dramatically and produced an exposure figure in the millions. The internal team faced two pressures. They had never measured true peak concurrency, so they could not immediately rebut the count, and the claim carried the implied urgency that healthcare organisations feel acutely, because any suggestion of a compliance gap touching clinical systems demands fast resolution.
The audit was not counting concurrent users. It was counting accounts and calling them users.
Approach
We took over the response and ran the defense on the contract definitions and the provider's own data. The work moved on three tracks over roughly three months.
1. Control the disclosure
We became the single point of contact for the auditor, so the provider's technical staff stopped volunteering raw account exports that would have reinforced the inflated count. Every data request was scoped to what the contract actually required, and nothing more.
2. Measure real concurrency
We baselined actual peak simultaneous sessions from the provider's own session records across a full quarter, capturing seasonal and shift driven peaks. The true peak concurrency sat far below the 9,000 account total, because the shift pattern meant the same licenses cycled through different clinicians across the day.
3. Hold the auditor to the definition
We mapped the measured peak against the contractual definition of a concurrent user and required the auditor to justify any count that departed from it. Once the definition was applied to the evidence, the basis for the inflated claim disappeared.
Outcome
The compliance claim was withdrawn and resettled against measured peak concurrency, reducing the asserted exposure by the large majority of its original value. The provider was confirmed compliant on its existing concurrent user position, with only a modest true up for a genuine gap that the accurate measurement surfaced. We also secured tighter audit language for the next term, defining the measurement method and notice period so a future review could not repeat the same account based overcount. Net of the engagement fee, a small fraction of the avoided exposure, the provider closed the audit without disruption to a single clinical workflow.
Lessons for buyers
First, a concurrent user license is consumed by simultaneous sessions, not by named accounts, and an audit that counts accounts is overstating your position by design. Measure real peak concurrency before you respond. Second, control the disclosure, because raw account data handed over without scoping becomes the evidence used against you. Third, hold the auditor to the contract definitions rather than accepting the count as presented. Finally, use the moment to fix the audit clause for the future, so the next review starts from an agreed measurement method. For the full method, see our Citrix audit defense service, and the related guidance across the Citrix audits guide.
Frequently asked questions
Is this case study based on a real client?
It is an anonymised composite drawn from real engagements. The sector, scale, and outcome reflect audits we defend, but no named client, logo, or confidential detail is disclosed.
How did the healthcare provider defend its concurrent user compliance?
By measuring actual peak concurrency from its own session data and mapping it against the contractual definition of a concurrent user. The audit had counted named accounts rather than simultaneous sessions, which overstated the position substantially.
Why was the Citrix audit claim so high?
The audit counted total provisioned accounts as if all were active at once, ignoring that a concurrent user license is consumed only by simultaneous sessions. In a shift based clinical environment, peak concurrency was far below the account total.
What is a concurrent user license in Citrix terms?
A concurrent user license is consumed by an active session at a point in time, not by a named individual. The same license can serve different staff across shifts, so the relevant count is peak simultaneous use, not the number of accounts.
What can other buyers learn from this case study?
Measure real concurrency before responding to an audit, hold the auditor to the contract definitions, and control the data you disclose. A compliance claim is an opening position, and session evidence is what shrinks it.