Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript

Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.

The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.

The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.

This is another great demonstration that relying only on large language models for product development is premature.

4 points | by g48ywsJk6w48 7 hours ago

3 comments

  • shoo 22 minutes ago
    Are the patient emails real patients or could they be test accounts?
  • speedgoose 4 hours ago
    Looks like you used a LLM to write your post, or am I wrong?
  • allinonetools_ 3 hours ago
    [dead]