Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript

[g48ywsJk6w48]

Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.

The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.

The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.

This is another great demonstration that relying only on large language models for product development is premature.

[shoo]

Are the patient emails real patients or could they be test accounts?

[KomoD]

The emails are definitely real, I checked a few and they appear in HIBP.

[g48ywsJk6w48]

They look like real people's email addresses. I checked a few. They belong to real people.

[pants2]

So did you disclose this responsibly? Posting about it publicly first is asking for that sensitive data to be leaked. Might as well hack and repost that PII yourself.

[g48ywsJk6w48]

This is not a data leakage. They deliberately included 999 of their customers' email addresses in publicly accessible JavaScript code in order to test certain features on them.

[pants2]

Certainly that wasn't intentional to broadcast to the public? Sounds like a textbook data leak.

> A data leak is the unauthorized, often unintentional exposure of sensitive, confidential, or personal information to an external party, usually resulting from weak infrastructure, human error, or system errors.

[thom-gtdp]

How do you find such data leaks? Do you manually check all websites you visit?

[g48ywsJk6w48]

I was curious to know which service provider they use. So I went to look at the source code of their websites.

[speedgoose]

Looks like you used a LLM to write your post, or am I wrong?

[thom-gtdp]

Totally agree Check the Wikipedia page "Signs of AI writing", found 2 of them in this post (overuse of em dash and negative parallelism) Also quickly checked Medvi, their JavaScript looks good...

[g48ywsJk6w48]

Would you like me to show you specific JavaScript files right here?

[thom-gtdp]

Yes please, I only checked the ones from homepage, I probably missed some if the other pages includes other scripts

[g48ywsJk6w48]

Just open app.medvi.org and search in DevTools gmail/yahoo/icloud and you will see js bundle with emails.

or seasonhealth/openloophealth to find another js bundle with staff emails.

[thom-gtdp]

Mamma Mia I see them! Crazy 1018 customer mails addresses at first sight

[g48ywsJk6w48]

Yes, LLM assisted.