Thank you for your question. A medical professional is bound to keep your medical information private under state laws and HIPAA (Health Insurance
Portability and Accountability Act). This includes making sure that your information stays private in documents and electronic information which is disposed of, such as the server you found.
The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies
and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.
In your case, under the facts you have provided, there is no indication that the server that you found actually has any PHI on it. Your assumption is that it does and we can work under that assumption. A doctor can't simply throw medical records (or servers containing medical records) into a trash can which is accessible to the public. This would be in itself a violation of HIPPA
In regard to what you should do, at this point you do not have a private action that you could enforce for money damages. First of all, since you discovered the information in the dumpster, there has not been a disclosure to any third party of your information. If you look at the information and find medical records of other people, then there might be disclosure of their medical records and they might have a claim. However, they could also potentially file a claim against you for intentionally invasion of privacy.
What you should do in this situation is contact U.S. Department of Health and Human Services and file a HIPPA violation complaint. USHHS is the federal department tasked with enforcing HIPPA. If USHHS finds a violation, it may fine your doctor for the negligent failure to protect the privacy of your health records.
Please let me know if you have any further questions regarding this subject or need any clarification.
Zachary D. Norris