Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript
1 day ago
Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.
The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.
The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.
This is another great demonstration that relying only on large language models for product development is premature.
So did you disclose this responsibly? Posting about it publicly first is asking for that sensitive data to be leaked. Might as well hack and repost that PII yourself.
This is not a data leakage. They deliberately included 999 of their customers' email addresses in publicly accessible JavaScript code in order to test certain features on them.
Certainly that wasn't intentional to broadcast to the public? Sounds like a textbook data leak.
> A data leak is the unauthorized, often unintentional exposure of sensitive, confidential, or personal information to an external party, usually resulting from weak infrastructure, human error, or system errors.
Are the patient emails real patients or could they be test accounts?
The emails are definitely real, I checked a few and they appear in HIBP.
They look like real people's email addresses. I checked a few. They belong to real people.
How do you find such data leaks? Do you manually check all websites you visit?
I was curious to know which service provider they use. So I went to look at the source code of their websites.
Looks like you used a LLM to write your post, or am I wrong?
Totally agree Check the Wikipedia page "Signs of AI writing", found 2 of them in this post (overuse of em dash and negative parallelism) Also quickly checked Medvi, their JavaScript looks good...
Would you like me to show you specific JavaScript files right here?
4 replies →
Yes, LLM assisted.
[dead]