[sixhobbits]

yeah keeping it vague makes sense to protect the place if it's still online but the whole thing doesn't really make sense?

The timelines mentioned are weird - he spoke to them before they built it? Or after? It's not that clear, he mentions they mentioned watching a video.

> The entire application was a single HTML file with all JavaScript, CSS, and structure written inline.

This is not my experience of how agents tend to build at all. I often _ask_ them to do that, but their tendency is to use a lot of files and structure

> They even added a feature to record conversations during appointments

So they have the front-desk laptop in the doctor's room? Or they were recording conversations anyway and now they for feed them into the system afterwards?

> All "access control" logic lived in the JavaScript on the client side, meaning the data was literally one curl command away from anyone who looked.

Also definitely not the normal way an agent would build something - security flaws yes, but this sounds more like someone who just learnt coding or the most upvoted post of all time on r/programmerhorror, not really AI.

Overall I'm skeptical of the claims made in this article until I see stronger evidence (not that I'm supporting using slop for a medical system in general).

[mewpmewp2]

I don't know what to make of the article. First I thought it seems like a made up LinkedIn story, it seems too crazy while talking about it in such a casual manner. Ultimately I don't know, maybe it was vague for a specific reason. I guess one thing I'd find odd is that whoever developed it, that they didn't run and get stuck with CORS issues, if everything was done client side to those services and that they managed to get API keys, subscription stuff everywhere while still making mistakes like this. And no mention of leaked api keys and creds which UI side there must have been, right?

> Everything that could go wrong, did go wrong.

Then this claim seems a bit too much, since what could have gone more wrong is malicious actors discovering it, right? Did they?

Maybe I have trouble believing that a medical professional could be that careless and naive in such a way, but anything could happen.

I guess another thought is... If they built it why would they share the URL to the author? Was author like "Ooh cool, let me check that out", and they just gave the url without auth? Because if it worked as it was supposed to it should have just shown a login screen right? That's the weirdest part to me, I suppose.

[furyofantares]

> The timelines mentioned are weird - he spoke to them before they built it? Or after? It's not that clear, he mentions they mentioned watching a video.

I took that all to mean she had explained the history of it to the author, but it had already been written and deployed. It is worded a little weird. It's also translated from german, I don't know if that is a factor or not.

[fzzzy]

The single file thing makes perfect sense if it was built as an artifact in one of the big provider's webui.

[lesostep]

I could bet 5 dollars that they used chat and not an agent, and that's also the reason why it's a single html file.

Copypasted and than dropped into hosting folder, sweet web 1.0 style

[BrissyCoder]

> The timelines mentioned are weird - he spoke to them before they built it? Or after? It's not that clear, he mentions they mentioned watching a video.

Yeah although I didn't comment I found this weird as well. Chronology was vague and ill-defined. He went to a doctors office and the receptionist mentioned vibe coding their patient records system unprompted?

> A few days later, I started poking around the application.

What!? How... was there even a web-facing component to this system? Did the medical practice grant you access for some reason?

Yeah I'm back to calling bullshit. What a load of crap. Whole post probably written by an LLM.

[suddenlybananas]

I don't think you read the article very carefully, the timeline is that he met a person, and that person told him that they made vibe-coded an app after having seen a video. He then investigated the app.

[BrissyCoder]

Yeah because every medical practice I go to, I'm always able to investigate all of their systems.

[kuboble]

I live in Switzerland. Sounds pretty normal.

There are plenty of small medical practices with 1-2 doctors and a front desk.

On my last visit i actually casually discussed their IT system with a doctor.

[BrissyCoder]

> On my last visit i actually casually discussed their IT system with a doctor.

Oh right, cool. Did it have a public-facing web-portal that you were able to "investigate" and that "Thirty minutes in, I had full read and write access to all patient data".

The level of credulity in these comments is immense.

[kuboble]

No, they were complaining about using expensive, overly complicated third-party system that they need like only basic features like keeping text records about visits, and prescriptions and sending invoices to health insurers. And in some practices you get direct access to your data as a patient.

I mean the story might be fake obviously, but is definitely plausible.

[BrissyCoder]

Yeah sure, as a matter of rule, every time I visit any health provider I am always discussing with the medical receptionist: the software they use, the challenges the business as a whole faces, the tensions between insurers and third parties.

Things that absolutely 100% happen everytime I - a tech guy - experiences when I go to the doctor/phyiso-therapist etc... etc... These are discussions that are happening.

[EliRivers]

Isn't that the whole point? That one should NOT be able to investigate all of their systems?

[viraptor]

Having experience working with medical software, I call BS on this article as presented, unless it was some minimal support app. When you deal with patient records, there's so much of local law, communication, billing rules and other things baked in that you CANNOT vibe code an app to handle even 1% of that. Your staff would rebel and your records would completely fall apart. Even basic things like appointment bookings have a HISTORY and it's a full blown room scheduling system that multiple people with different roles have to deal with (reception and providers). It takes serious time to even reverse engineer the database of existing apps, and you first have to know how to access the database itself. Then you'll see many magic IDs and will have to reverse engineer what they mean. (yes, LLMs are good at reverse engineering too, but you need some reference data and you can't easily automate that)

I have decompiled database updaters to get the root password for the local SQL Server instance with extremely restricted access rules. (can't tell you which one...) I have also written many applications auto-clicking through medical apps, because there's no other way to achieve some batch changes in reasonable time. I have a lot of collateral knowledge in this area.

Now for the "unless it was some minimal support app" - you'll see lots of them and they existed before LLMs as well. They're definitely not protecting patient data as much as other systems. If the story is true in any way, it's probably this kind of helper that solves one specific usecase that other systems cannot. For example I'm working on an app which handles some large vaccination events and runs on a side of the main clinic management application. But accidentally putting that online, accessible to everyone, and having actual patient data imported would be hard-to-impossible to achieve for a non-dev.

For the recording and transcription, there are many companies doing that at the moment and it would be so much easier to go with any of them. They're really good quality these days.