(CBS) -- A massive breach of medical records containing confidential personal information has prompted both federal and state investigations. It all started when CBS 2 Investigator Dave Savini got a tip about what a dumpster diver found in the trash.
Suburban Lung Associates has numerous offices affiliated with major hospitals. Charts belonging to their patients were just tossed in a dumpster.
It is an identity thief's dream, and a nightmare for patients. Medical files, tossed in the trash, contain personal information including drivers' licenses, Social Security numbers and even medical histories.
Diane and Guy Scarpelli are just two of thousands of people to have their identities put in jeopardy.
"I thought all this would be private," said Diane Scarpelli. "It would never come out to anybody."
"I was shocked at first," said Guy Scarpelli. "I didn't believe it."
Filefax, a Northbrook company, stores and moves hospital records. CBS 2 found the company dumpster filled with medical records that should have been shredded or disposed of in a manner to protect patient privacy. There were even medical records left in a parked company car which could easily be read by anyone walking nearby.
Filefax works for numerous medical facilities including Suburban Lung Associates, which is affiliated with Alexian Brothers Medical Center, Central DuPage Hospital, St. Alexius Medical Center, Edward Hospital, Northwest Community Hospital and Lutheran General Hospital.
"It's hard to believe they threw it in a dumpster," said Guy Scarpelli.
Same thing happened with Keith Schuler. Details of his sleep study tossed in the trash along with his wife's personal information. Schuler said the records should have been shredded and could be used to steal his identity.
"Nice shopping spree on my dime," said Schuler.
Also disturbed is Joe Sagerer. His daughter Holly died from her medical problems. He assumed her confidential file was safe which contained his Social Security number too.
"I thought it was all secure," said Sagerer. "It's sad that it would go to that point."
CBS 2 found a dumpster diver, selling paper for recycling, who says Filefax allowed her to take even more patient records a week earlier. She filled a tall blue garbage can up and made ten trips to a recycling facility with 1,000 pounds of even more Suburban Lung Associates files.
No one from Filefax would answer the door, so CBS 2 called Northbrook police to secure the latest load of files in the dumpster. Police ordered the company to bring the dumpster inside.
"How long have they been doing it and how long have they been getting away with it?" said Diane Scarpelli.
The Illinois Attorney General and U.S. Department of Health and Human Services are investigating. Suburban Lung Associates is assisting the investigation and released the statement below.
Filefax did not comment.
Suburban Lung Associates Statement Re: Potential Compromise of Patient Information
"Suburban Lung Associates takes the privacy and security of our patients' records very seriously.
Upon learning that some information about previous patients may have been compromised as a result of actions by a third-party vendor, we immediately began an active investigation. We are working cooperatively with law enforcement to assess the situation.
Based on what we know now, we believe this is an isolated incident involving patient records from 2004. We deeply regret these circumstances and are committed to keeping patients informed.
Suburban Lung Associates, like many healthcare providers, relies on reputable third-party vendors to retain and, when appropriate, securely destroy patient records. Suburban Lung Associates' policy with the vendor involved in this situation specifically mandates that all records be destroyed before they are discarded. We are investigating what may have occurred in this instance and are taking further steps to prevent a recurrence."
for more features.