frontpage.

Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.

The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.

The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.

This is another great demonstration that relying only on large language models for product development is premature.

Tell HN: An app is silently installing itself on my iPhone every day

Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript

Ask HN: What file sharing apps do you guys use?

Tell HN: Claude 4.7 is ignoring stop hooks

Ask HN: Oh, What Places to Go (Seriously Tho)

Ask HN: Do you read differently now that anything could be AI generated?

Ask HN: How did the industry settle on weekly limits?

Batteries Included CLI Framework

Ask HN: Is anyone working on Gov Digital IDs or have implementation docs / FOSS

Ask HN: Anyone managed to get Google trends API?

Ask HN: Is Zuckerberg just a „one-hit-wonder"?

Ask HN: Do you waste AI assisted time looking for answers?

Ask HN: MicroVM setup for VS Code Dev Container-like experience?

Ask HN: Cyberdecks are cool but do they serve a purpose?

How to Attend the Altman vs. Musk Trial

Ask HN: How do solo devs protect their work in the age of vibe coding?

Ask HN: Scaling a targeted web crawler beyond 500M pages/day

Tell HN: YouTube RSS feeds no longer work

GPT-5.5 – No ARC-AGI-3 scores

Ask HN: Any recommendataions for exporting data from Amazon?

Ask HN: Chrome, Brave, Firefox or Something Else?

Tell HN: Codex macOS app switches to Fast speed after update without asking

Ask HN: Anyone still using JetBrains products today?

How good is Mac Studio M3 Ultra for Trillion param models like DeepSeekv4?

Tell HN: Anthropic won't reset usage limits for those who downgraded

Ask HN: Why are companies so distrustful of remote employees?

Hey, it's Earth Day today

Ask HN: How are you using AI code assistants on large messy legacy code bases?

Can non-developer build commercial products with AI

Anthropic bans orgs without warning

Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript

Comments

Tell HN: An app is silently installing itself on my iPhone every day

Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript

Ask HN: What file sharing apps do you guys use?

Tell HN: Claude 4.7 is ignoring stop hooks

Ask HN: Oh, What Places to Go (Seriously Tho)

Ask HN: Do you read differently now that anything could be AI generated?

Ask HN: How did the industry settle on weekly limits?

Batteries Included CLI Framework

Ask HN: Is anyone working on Gov Digital IDs or have implementation docs / FOSS

Ask HN: Anyone managed to get Google trends API?

Ask HN: Is Zuckerberg just a „one-hit-wonder"?

Ask HN: Do you waste AI assisted time looking for answers?

Ask HN: MicroVM setup for VS Code Dev Container-like experience?

Ask HN: Cyberdecks are cool but do they serve a purpose?

How to Attend the Altman vs. Musk Trial

Ask HN: How do solo devs protect their work in the age of vibe coding?

Ask HN: Scaling a targeted web crawler beyond 500M pages/day

Tell HN: YouTube RSS feeds no longer work

GPT-5.5 – No ARC-AGI-3 scores

Ask HN: Any recommendataions for exporting data from Amazon?

Ask HN: Chrome, Brave, Firefox or Something Else?

Tell HN: Codex macOS app switches to Fast speed after update without asking

Ask HN: Anyone still using JetBrains products today?

How good is Mac Studio M3 Ultra for Trillion param models like DeepSeekv4?

Tell HN: Anthropic won't reset usage limits for those who downgraded

Ask HN: Why are companies so distrustful of remote employees?

Hey, it's Earth Day today

Ask HN: How are you using AI code assistants on large messy legacy code bases?

Can non-developer build commercial products with AI

Anthropic bans orgs without warning