An internal AI chatbot developed for Optum employees was inadvertently left publicly accessible online, allowing unrestricted access via a web browser, TechCrunch reported Dec. 13.
The SOP Chatbot, a demo tool that was used by Optum employees since September, was designed to help employees navigate the company's standard operating procedures. Although it was not used in real-world scenarios and contained no protected health information, the chatbot allowed employees to ask questions about handling patient health insurance claims and disputes in accordance with company guidelines.
For example, the chatbot was trained on Optum's internal documents about handling claims and reimbursements. According to TechCrunch, while these documents were securely stored within UnitedHealthcare's corporate network and required employee login for access, the chatbot could still reference and cite them when responding to related queries.
The chatbot was hosted on an internal Optum domain and was not directly accessible through its web address. However, its IP address was publicly exposed, allowing unrestricted internet access without requiring a password.
"The 'Optum SOP' chatbot was a demo tool developed as a potential proof of concept. It was never put into production and the site is no longer accessible," an Optum spokesperson told Becker's in a written statement. "The demo was intended to test how the tool responds to questions on a small sample set of SOP documents. No PHI was used in the bot or in the training of the bot. This tool does not and would never make any decisions, but only enable better access to existing SOPs. In short, this technology was never scaled nor used in any real way."
It remains unclear how long the chatbot was publicly accessible online.