90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-064
Healthcare · United States · 2023 · Automated decision without human review

Cigna's 'PxDx' let its doctors reject 300,000 claims in two months, about 1.2 seconds each, without opening the file

By Ellie Harris · Filed System in use for years; ProPublica report March 2023 (2022 data)

Alleged: The Cigna Group (Cigna Healthcare) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

What happened

Cigna’s PxDx system (short for “procedure-to-diagnosis”) flagged claims where a patient’s diagnosis did not match the tests or procedures the company considered appropriate. ProPublica reported in March 2023 that, over a two-month period in 2022, Cigna denied about 300,000 requests for payment through the system, spending an average of 1.2 seconds on each. According to the same investigation, former Cigna doctors described signing off denials in bulk with an electronic signature, and one physician’s signature was reported to have rejected roughly 60,000 claims in a single month, without the individual patient files being opened.

The significance is legal as well as clinical: laws in California and other states require an individual physician review before a claim is denied. The lawsuits that followed allege that PxDx let Cigna reject payments “in batches of hundreds or thousands at a time,” bypassing that review. Cigna disputed the framing, telling reporters that PxDx was “a simple tool to accelerate physician payments” that had been “grossly mischaracterized in the press.”

What an auditable version would have shown

The question a denied patient, or a regulator, asks is whether a qualified person actually reviewed this specific claim, and on what basis. An auditable version records, per denial, whether a human reviewed the file, for how long, what was examined, and the reason for the decision, signed at the moment it was made. A denial that reportedly took 1.2 seconds and opened no record would then be visible as exactly that, individually and in aggregate across hundreds of thousands of decisions, rather than hidden inside a single batch signature.

Where the gap was

The gap was a human signature standing in for a human review that, as alleged, did not occur. A signature is only as good as the process behind it, and here the process was a batch action. A ConductRecord binds each decision to what actually happened: reviewed or not, by whom, for how long, on what evidence, so a signature cannot certify a review that never took place. A MetricRecord computed over those signed records gives a regulator a verifiable view of review times and denial rates across the whole population, the number that turns “individual review” from an assertion into something checkable.

What governance should have looked like

If the law requires an individual review before a denial, the system has to be able to prove one happened, not assert it by applying a signature to thousands of files at once. Record the review, or its absence, for every decision, and let the aggregate be audited. A tool that accelerates payment is unobjectionable; a tool that accelerates denial past the point of review, and cannot show whether any review occurred, is the failure. The record is what separates the two.

The reference implementation of ConductRecord and MetricRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and The Cigna Group (Cigna Healthcare) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →