Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript

Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.

The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.

The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.

This is another great demonstration that relying only on large language models for product development is premature.

▲

pants2 3 hours ago | parent | next [-]

So did you disclose this responsibly? Posting about it publicly first is asking for that sensitive data to be leaked. Might as well hack and repost that PII yourself.

	▲	g48ywsJk6w48 2 hours ago \| parent [-]
		This is not a data leakage. They deliberately included 999 of their customers' email addresses in publicly accessible JavaScript code in order to test certain features on them.

▲

thom-gtdp 3 hours ago | parent | prev | next [-]

How do you find such data leaks? Do you manually check all websites you visit?

	▲	g48ywsJk6w48 2 hours ago \| parent [-]
		I was curious to know which service provider they use. So I went to look at the source code of their websites.

▲

shoo 11 hours ago | parent | prev | next [-]

Are the patient emails real patients or could they be test accounts?

	▲	KomoD 3 hours ago \| parent \| next [-]
		The emails are definitely real, I checked a few and they appear in HIBP.
	▲	g48ywsJk6w48 7 hours ago \| parent \| prev [-]
		They look like real people's email addresses. I checked a few. They belong to real people.

▲

speedgoose 15 hours ago | parent | prev [-]

Looks like you used a LLM to write your post, or am I wrong?

▲

thom-gtdp 8 hours ago | parent | next [-]

Totally agree Check the Wikipedia page "Signs of AI writing", found 2 of them in this post (overuse of em dash and negative parallelism) Also quickly checked Medvi, their JavaScript looks good...

▲

g48ywsJk6w48 7 hours ago | parent [-]

Would you like me to show you specific JavaScript files right here?

▲

thom-gtdp 6 hours ago | parent [-]

Yes please, I only checked the ones from homepage, I probably missed some if the other pages includes other scripts

▲

g48ywsJk6w48 4 hours ago | parent [-]

Just open app.medvi.org and search in DevTools gmail/yahoo/icloud and you will see js bundle with emails.

or seasonhealth/openloophealth to find another js bundle with staff emails.

▲

thom-gtdp 3 hours ago | parent [-]

Mamma Mia I see them! Crazy 1018 customer mails addresses at first sight

	▲	g48ywsJk6w48 2 hours ago \| parent [-]
		Yes, and it's a company that makes hundreds of millions of dollars a year.

▲

g48ywsJk6w48 7 hours ago | parent | prev [-]

Yes, LLM assisted.