NewsLab
Apr 28 20:37 UTC

Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript (news.ycombinator.com)

16 points|by g48ywsJk6w48||16 comments|Read full story on news.ycombinator.com
Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.

The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.

The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.

This is another great demonstration that relying only on large language models for product development is premature.

Comments (16)

16 shown
  1. 1. speedgoose||context
    Looks like you used a LLM to write your post, or am I wrong?
  2. 2. thom-gtdp||context
    Totally agree Check the Wikipedia page "Signs of AI writing", found 2 of them in this post (overuse of em dash and negative parallelism) Also quickly checked Medvi, their JavaScript looks good...
  3. 3. g48ywsJk6w48||context
    Would you like me to show you specific JavaScript files right here?
  4. 4. thom-gtdp||context
    Yes please, I only checked the ones from homepage, I probably missed some if the other pages includes other scripts
  5. 5. g48ywsJk6w48||context
    Just open app.medvi.org and search in DevTools gmail/yahoo/icloud and you will see js bundle with emails.

    or seasonhealth/openloophealth to find another js bundle with staff emails.

  6. 6. thom-gtdp||context
    Mamma Mia I see them! Crazy 1018 customer mails addresses at first sight
  7. 7. g48ywsJk6w48||context
    Yes, and it's a company that makes hundreds of millions of dollars a year.
  8. 8. g48ywsJk6w48||context
    Yes, LLM assisted.
  9. 9. shoo||context
    Are the patient emails real patients or could they be test accounts?
  10. 10. g48ywsJk6w48||context
    They look like real people's email addresses. I checked a few. They belong to real people.
  11. 11. KomoD||context
    The emails are definitely real, I checked a few and they appear in HIBP.
  12. 12. pants2||context
    So did you disclose this responsibly? Posting about it publicly first is asking for that sensitive data to be leaked. Might as well hack and repost that PII yourself.
  13. 13. g48ywsJk6w48||context
    This is not a data leakage. They deliberately included 999 of their customers' email addresses in publicly accessible JavaScript code in order to test certain features on them.
  14. 14. pants2||context
    Certainly that wasn't intentional to broadcast to the public? Sounds like a textbook data leak.

    > A data leak is the unauthorized, often unintentional exposure of sensitive, confidential, or personal information to an external party, usually resulting from weak infrastructure, human error, or system errors.

  15. 15. thom-gtdp||context
    How do you find such data leaks? Do you manually check all websites you visit?
  16. 16. g48ywsJk6w48||context
    I was curious to know which service provider they use. So I went to look at the source code of their websites.