I found an IDOR exposing 250k patient records in a telehealth startup

medium.com · csteinbacher · 2 days ago · view on HN · research
quality 9/10 · excellent
0 net
Tags
idor
I Found a HIPAA Violation in a $400M Startup. They Paid Me $1,000 and Forgot the NDA. | by Caleb Bacher - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original I Found a HIPAA Violation in a $400M Startup. They Paid Me $1,000 and Forgot the NDA. A fintech guy noticed a number in a URL. What followed: a HIPAA nightmare, 5 agents on a conference call, and a $1,000 ACH. No NDA. Caleb Bacher Follow ~6 min read · April 3, 2026 (Updated: April 3, 2026) · Free: Yes I Found a Massive HIPAA Violation in a $400 Million Telehealth Startup. They Paid Me $1,000 and Forgot to Make Me Sign an NDA. I'm not a security researcher. I'm not a hacker. I'm a high school dropout running a fintech company in Oklahoma. I just noticed a number in a URL. This is the story of how I accidentally stumbled into one of the more embarrassing data breaches I've ever seen, spent an hour on the phone with five offshore call center agents simultaneously, got paid $1,000 via ACH with zero paperwork, and then watched the company get a glowing Forbes profile calling them the future of AI-powered business. So. Let's talk about MEDVi . How This Started It was a normal day. I was scrolling Facebook when I saw an ad for $149/month Tirzepatide. Since groceries cost more than that these days, I figured I'd see if it was legit. It wasn't. The actual price was $279/month. I closed the tab and moved on. Then I got a text. "MEDVi: Hi Caleb, here is your weight loss approval page: https://a.medvi.org/Caleb8" I clicked the link. No login. No authentication. No verification of any kind. Just my full name, email address, current weight, goal weight, and phone number sitting there on a publicly accessible webpage, protected by nothing except the fact that you'd have to know my first name and a number. I got curious. I changed the URL to Caleb7. Someone named Caleb had ordered ED medication. I could see his full name, email, phone number, and exactly what he ordered. I tried Kelly12. There was Kelly's weight loss approval page. Full name, email, phone number, weight, goal weight. This wasn't a glitch. This was the architecture. The Vulnerability MEDVi — which runs on infrastructure provided by CareValidate and OpenLoop Health — was assigning every intake form submission a sequential, predictable, unauthenticated URL. The URL itself was the only access control. There was no session token, no login, no verification that you were the person the page belonged to. In security terms, this is called an Insecure Direct Object Reference, or IDOR. It's one of the most well-documented vulnerability classes in existence. OWASP has been writing about it for over a decade. For non-patients like me, the exposed data included name, phone, email, weight, and goal weight. For actual customers who had purchased, it also included their complete order information — medication type, dosage, and payment details. This is Protected Health Information under HIPAA. All of it. Weight in the context of a medical intake form is PHI. Medication orders are PHI. The combination of name, contact information, and health data is exactly what HIPAA exists to protect. MEDVi did $401 million in revenue in their first year of operation, according to Forbes. They had 250,000 customers. Every single one of them had a page like this. The Phone Call Circus I replied to the text asking for a compliance contact. Their AI chatbot couldn't route the request. So I called. I got connected to an offshore customer service agent and asked for management or compliance. That didn't happen. So I kept calling. Over the course of about an hour, I accumulated five of their agents on a conference call while simultaneously calling the U.S. Department of Health and Human Services to report the HIPAA violation. We were all sitting on hold together — me, five MEDVi agents, and the HHS queue — when my phone lit up with an inbound call from MEDVi's customer service line. I answered. A very flustered Executive Assistant really wanted me to stop calling all of their agents. We had a 5–10 minute conversation where I explained the issue. Their initial understanding was that I was somehow receiving all of their customer data as leads were submitted — they didn't immediately grasp that anyone could access anyone's page just by changing a number. I walked her through it. I suggested they implement UUIDs instead of sequential integers to make the URLs non-enumerable, though I'll note that alone wouldn't make it fully HIPAA compliant — you'd still need authentication. She promised to get it fixed immediately and let me know when it was done. About 90 minutes later, she called back. Fixed. And they wanted to give me $1,000 for bringing it to their attention. The Payment A few days passed. I texted the customer service number to follow up. The EA called back within an hour, asked for my banking information, and said she'd be in touch. Ten minutes later, she sent the payment confirmation. Two hours after that, $1,000 was in my business account — sent via ACH with no paperwork attached, no release signed, no settlement agreement, no non-disclosure agreement, no W-9. Just a wire confirmation and silence. I giggled. I once sold HIPAA compliance consulting. Part of what I sold was helping companies understand exactly what their obligations were when a breach occurred. The idea that a company generating $400 million in annual revenue paid out a data breach disclosure with a handshake ACH transfer and a verbal thank-you — no legal review, no NDA, no release of claims — is one of the more remarkable things I've witnessed in a professional context. For what it's worth, I wasn't expecting anything. An extra $1,000 is always nice. But the absence of any legal documentation is what keeps this story alive. What They Were Actually Required To Do This is the part that matters beyond the funny story. HIPAA's Breach Notification Rule requires covered entities and their business associates to notify affected individuals of a breach of unsecured PHI. For breaches affecting 500 or more individuals, they're also required to notify HHS and prominent media outlets in the affected states — within 60 days of discovering the breach. MEDVi had 250,000 customers. This vulnerability was present in every record. The exposure window is unknown, but the URL structure suggests it was baked into the product from launch. I was an affected party. As of the time I'm writing this, I have not received a breach notification from MEDVi. I have no evidence they filed with HHS OCR. I have no evidence they notified their 250,000 customers that their weight, medication orders, and personal contact information was accessible to anyone who could guess a URL. I also can't fully confirm the vulnerability is fixed. I know my specific URL no longer works. I don't know if they patched the underlying architecture or just deleted my record to stop me from calling their agents. The Forbes Article Today, Forbes published a profile of MEDVi and its founder, Matthew Gallagher. It's a genuinely interesting story — a solo founder who built a $401 million revenue business in his first year using AI tools, two contract employees, and infrastructure rented from CareValidate and OpenLoop . The margins are remarkable. The execution velocity is remarkable. The article mentions that Gallagher used Claude and ChatGPT to build the platform's code. It does not mention the breach. I had planned to stay quiet. I didn't think MEDVi was this large, and honestly, the $1,000 was a pleasant surprise for what felt like a minor good deed. But a company doing $401 million in revenue — on track for $1.8 billion in 2026 per Forbes — that hasn't notified a quarter million patients of a HIPAA breach, paid out disclosure with a handshake and an ACH transfer, and is now getting profiled as a beacon of AI-enabled entrepreneurship deserves to have the full picture told. I'm not a security researcher. I'm not a lawyer. I'm a fintech guy who grew up bouncing around the country as an Air Force kid and landed in Oklahoma. I just noticed a number in a URL. Matt, you have my contact info. Happy to help if you need more compliance work. #cybersecurity #hipaa #healthcare #startup #privacy Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories