Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript

Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.

The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.

The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.

This is another great demonstration that relying only on large language models for product development is premature.

15 points | by g48ywsJk6w48 1 day ago

5 comments

  • pants2 22 hours ago
    So did you disclose this responsibly? Posting about it publicly first is asking for that sensitive data to be leaked. Might as well hack and repost that PII yourself.
    [-]
    • g48ywsJk6w48 21 hours ago
      This is not a data leakage. They deliberately included 999 of their customers' email addresses in publicly accessible JavaScript code in order to test certain features on them.
      [-]
      • pants2 16 hours ago
        Certainly that wasn't intentional to broadcast to the public? Sounds like a textbook data leak.

        > A data leak is the unauthorized, often unintentional exposure of sensitive, confidential, or personal information to an external party, usually resulting from weak infrastructure, human error, or system errors.

  • shoo 1 day ago
    Are the patient emails real patients or could they be test accounts?
    [-]
    • KomoD 23 hours ago
      The emails are definitely real, I checked a few and they appear in HIBP.
    • g48ywsJk6w48 1 day ago
      They look like real people's email addresses. I checked a few. They belong to real people.
  • thom-gtdp 22 hours ago
    How do you find such data leaks? Do you manually check all websites you visit?
    [-]
    • g48ywsJk6w48 22 hours ago
      I was curious to know which service provider they use. So I went to look at the source code of their websites.
  • speedgoose 1 day ago
    Looks like you used a LLM to write your post, or am I wrong?
    [-]
    • thom-gtdp 1 day ago
      Totally agree Check the Wikipedia page "Signs of AI writing", found 2 of them in this post (overuse of em dash and negative parallelism) Also quickly checked Medvi, their JavaScript looks good...
      [-]
      • g48ywsJk6w48 1 day ago
        Would you like me to show you specific JavaScript files right here?
        [-]
        • thom-gtdp 1 day ago
          Yes please, I only checked the ones from homepage, I probably missed some if the other pages includes other scripts
          [-]
          • g48ywsJk6w48 23 hours ago
            Just open app.medvi.org and search in DevTools gmail/yahoo/icloud and you will see js bundle with emails.

            or seasonhealth/openloophealth to find another js bundle with staff emails.

            [-]
            • thom-gtdp 23 hours ago
              Mamma Mia I see them! Crazy 1018 customer mails addresses at first sight
              [-]
              • g48ywsJk6w48 22 hours ago
                Yes, and it's a company that makes hundreds of millions of dollars a year.
    • g48ywsJk6w48 1 day ago
      Yes, LLM assisted.
  • allinonetools_ 1 day ago
    [dead]