Physical Securitymedium

Dumpster Dive: Hospital Records, Credit Card Statements, and Patient Files in the Trash

Investigative journalists and security researchers have repeatedly demonstrated that hospitals, banks, and businesses discard patient records, financial documents, and customer files in unsecured dumpsters — fully violating HIPAA, GDPR, and PCI DSS.

Healthcare / Financial Services·2009·2 min read

Background

Dumpster diving — retrieving discarded documents from rubbish bins or recycling containers — has been used since at least the 1980s to gather intelligence for social engineering and identity theft. Healthcare and financial services organisations regularly appear in news reports for improper document disposal.

The Attack

Security researchers and journalists have conducted dozens of documented dumpster dive investigations. Common findings include: physical patient records discarded by medical practices (violating HIPAA in the US); full credit card statements including card numbers (violating PCI DSS); employee personnel files including SSNs, salary information, and home addresses; customer account documents containing PINs and passwords; and discarded laptops and hard drives containing unencrypted data. In one documented case, a Phoenix-area medical practice discarded thousands of patient records in an open recycling bin accessible to anyone.

Response

The FTC and OCR (HHS Office for Civil Rights) have fined organisations for improper document disposal. HIPAA regulations require proper destruction of PHI. PCI DSS requires document shredding. Class action lawsuits have followed some dumpster dive exposures. Most organisations implement shredding policies only after an incident.

Outcome

Dumpster diving incidents recur annually across all industries. The fundamental failure — treating physical documents as requiring less security than digital data — persists despite decades of regulation. The low technical barrier means any motivated individual can attempt it.

Key Takeaways

  1. Establish mandatory cross-cut shredding policies for all documents containing personal, financial, or confidential data
  2. Hard drives and physical media must be degaussed and physically destroyed, not simply discarded
  3. Locked dumpsters or shredding service contracts are required for HIPAA, PCI DSS, and GDPR compliance
  4. Conduct periodic dumpster audits to verify shredding policies are being followed

How to Prevent This

All guides
beginner

Physically destroy hard drives and storage media — deletion is not destruction

Deleting files or formatting a drive does not erase the underlying data — it removes the index entry pointing to it. The data remains on the disk and is trivially recoverable with free tools. For any drive, SSD, USB stick, or backup tape containing sensitive data, physical destruction (shredding, degaussing, or certified destruction service) is the only reliable disposal method. The same principle applies to paper documents: cross-cut shredding at the minimum, secure shredding services for higher-sensitivity material. Organisations audited for dumpster diving regularly find intact personnel files, credit card statements, and medical records.

See: Hospital Dumpster DiveData Protection
dumpster divingdocument disposalHIPAAphysical recordsidentity theft

More in Physical Security

1995high

Kevin Mitnick Tailgating: How America's Most Wanted Hacker Walked Into Secure Buildings

2 min readPhysical Security
2016medium

USB Drop Attack: 60% of People Plug In Dropped USB Drives

2 min readPhysical Security
2020high

FIN7 BadUSB Mail Drop: Ransomware Delivered via Fake Amazon Gift Cards to Hotels

2 min readPhysical Security