Health Care and Social Assistance2024Generative AIMachine Learning (classification)B2B
Optum

Optum cuts security code-review time 60% with GitHub Copilot Autofix

Participating in the 2024 beta of GitHub's AI-powered Copilot Autofix, health services company Optum reduced time spent on security-related code reviews by 60% and lifted overall development productivity 25%, saving thousands of hours per month in the healthcare sector.

Security review time reduction60%
Developer productivity increase25%
Vulnerability fix speed (vs. manual)3 x faster
5 min read

Background

Optum operates in a heavily regulated environment where security vulnerabilities in software carry heightened risk. Its engineering teams needed to address the cost and slowness of manual security-related code review — a process that typically required specialized expertise and significant time per pull request.

What Was Implemented

  • Participation in the 2024 public beta of GitHub Copilot Autofix (March–July 2024), embedded within GitHub Advanced Security (GHAS)
  • Copilot Autofix scanned new pull requests for security vulnerabilities, generated natural-language explanations of each issue, and proposed code-level fixes
  • Fix suggestions (powered by CodeQL, GPT-4o, and GitHub Copilot APIs) appeared inline in the PR discussion thread; developers could accept, edit, or dismiss each suggestion with a single click
  • Changes were attributed to commit history, preserving accountability and transparency

Results

Optum reported a 60% reduction in time spent on security-related code reviews and a 25% increase in overall development productivity following adoption of Copilot Autofix. Kevin Cooper estimated the tool was "saving thousands of hours per month" that would otherwise be spent on remediation — though the precise monthly figure was not independently verified. Broader beta data from GitHub showed vulnerability remediation occurring more than three times faster than manual processes across all participating organizations.

Lessons

  • In regulated industries (healthcare, finance), AI-powered security tooling can reduce remediation burden while maintaining compliance rigor.
  • Embedding fix suggestions directly in the pull request workflow — rather than routing to a separate security portal — drives adoption by meeting developers where they already work.
  • Quantifying productivity gains (hours saved per month) alongside security outcomes strengthens the internal business case for AI security tooling.
  • Beta programs with production-adjacent workloads generate credible early evidence; Optum's participation yielded a publishable result within the 3-month window.

Ready to implement AI in your commerce operations?

McFadyen Digital helps teams move from case study to live implementation.

Talk to an expert →