Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser.
https://techcrunch.com/2024/12/13/unitedhealthcares-optum-left-an-ai-chatbot-used-by-employees-to-ask-questions-about-claims-exposed-to-the-internet/
This has been a problem for years.
Closing the gap on external//interna misconfiguration requires cooperation and the EIS & IT org leaders would rather fingerpoint than fix. The effort to close this was one of the victims of the 2024 layoffs because closing it wasn't going to get the CISO's attention so the VPs didn't want to work on it. Just rather wait for it to blow up somewhere and see other people look bad.
Could it be that the new CISO we reorg. There are some great leaders in the CISO org, there are some terrible charlatans too.. those brought in under Amy need to get fired!!!!
Not surprised at all...same players same problem. What is Gretchen Blocks team of GRC people really doing? This one is hard to mention, Allison Miller fly low and don't accept or become involved in the 'CISO of the Year' recognitions when there are multiple hacks going on. What is going on with all the segment CISOs? Change control anyone?
Tim McKnight please make everyone accountable to stop the constant fumbles that are avoidable.
There are really knowledgeable people still around, this sort of thing just shouldn't keep happening.
If Optum suffers another security fail the technical security leadership need to resign. Optum has very talented security people.. but people have left, Robert the CISO left and the hot seat was handled to an inexperienced leader.. maybe Optum needs to go back to basics?
Maybe the head of security engineering should stop having inappropriate employees sessions and work on securing the enterprise. Instead I hear he’s more interested in dipping his wick to feed his ego? We all know who this leader is, so do the folks who made official complaints about him.
I hope they promoted the leaders responsible for that site just like they did the folks who implemented the Pharmacy Prior Auth AI tool.
It’s been security theater at Optum Tech for the past 2 years. Focusing on things that can’t be exploited while leaving the front door wide open. It’s literally insane what we have seen.
Class action suit needed for the stock issue and insider trading.
Looks like the Optum application and information security teams FAILED. All of those processes and paperwork didn't plug this hole, did it?
Plus someone at UHG got super rich. Kudos to the nurse who had time between her heavy metrics to actually figure out we were all being ripped off on our 401 k’s . I hope she puts that on her map. How I grew at UHG and exposed the millions that were lost to hard working employees cause the CFO wanted to keep being friends with Wells Fargo. We the employees lost money and if this person hadn’t done the research we would have lost a lot more . A big thank you.
Optum IT is a shining example of what happens when charlatans and nepotism hold the reins—leaders with no discernible experience in IT or leadership, yet somehow experts at failure. It’s almost impressive, really—mediocrity executed with such consistency that it begins to look intentional.
Since this is a layoff site, US layoffs are coming in January - February 2025. Be prepared for those who are left.
100x
So glad all of Optum's IT was outsourced to cheap foreign labor! What a bargain!