Renovo Chiropractic & Wellness Data Breach 2026: 538 Washington Patients Exposed via Off-Site Storage Break-In. Paper EOBs Stolen. What To Do
Renovo Chiropractic & Wellness in Auburn, Washington, disclosed a January 2026 break-in at an off-site archived storage facility. Approximately three years (2021-2024) of paper Explanation of Benefits documents stolen, containing names, insurance IDs, and diagnosis codes for 538 patients. No SSN, financial data, or contact info in scope. No credit monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 16, 2026
Break-in at off-site archived storage facility; discovered same day
Jan 16, 2026
Attacker gained access
Mar 10, 2026
Patient notification letters mailed (53 days after discovery; within HIPAA 60-day window)
Mar 10, 2026
Disclosed publicly
Mar 16, 2026
HHS OCR breach portal submission
Jan 16, 2026
Break-in at off-site archived storage facility; discovered same day
Jan 16, 2026
Attacker gained access
Mar 10, 2026
Patient notification letters mailed (53 days after discovery; within HIPAA 60-day window)
Mar 10, 2026
Disclosed publicly
Mar 16, 2026
HHS OCR breach portal submission
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Renovo Chiropractic & Wellness LLC is a small single-location chiropractic and wellness practice at 914 D Street NE, Suite 101, Auburn, Washington (King County, south of Seattle). The practice focuses on “structural correction” chiropractic, plus spinal decompression, laser therapy, cryotherapy, rehabilitation, and motor vehicle accident / workers’ comp injury care.
On January 16, 2026, there was a physical break-in at an off-site archived storage facility used by the practice (not the main clinic). The break-in was discovered the same day. Items taken were approximately three years of paper Explanation of Benefits (EOB) documents covering patients seen from January 1, 2021 through December 31, 2024.
Renovo mailed patient notification letters on March 10, 2026 — 53 days after discovery, within HIPAA’s 60-day notification window. The HHS OCR breach portal submission followed on March 16, 2026 — confirming 538 affected individuals.
No electronic devices, backup media, or vehicle theft was involved — this was a physical document theft from a storage facility.
What was stolen
Per the entity’s disclosure letter, the stolen EOBs contained:
- Patient names
- Insurance ID numbers
- Diagnosis codes
Renovo explicitly states the documents did NOT include:
- Social Security numbers
- Phone numbers
- Email addresses
- Financial account information
- Other private contact information
The exposure is clinical and insurance — diagnosis codes paired with insurance ID numbers. This is enough information to discriminate or commit insurance-side identity theft (filing fraudulent claims under the victim’s insurance ID), but not enough for typical financial identity theft.
What Renovo Chiropractic is offering
Renovo’s response is notably thin by 2026 standards:
- No credit monitoring offered
- No identity-theft protection offered
- No dedicated call center beyond the (253) 939-1942 info line
- Mitigation guidance: “Review any EOB statements or insurance statements you receive” and contact your insurer if unrecognized services appear
- Reported to law enforcement; notified insurance carrier
This response is likely defensible given the absence of SSN or financial data, but represents the floor of what HIPAA permits.
What to do
- Read your specific notification letter to confirm what records were stolen.
- Watch your insurance Explanation of Benefits statements very carefully for unfamiliar chiropractic, imaging, or related claims that you did not authorize.
- Contact your health insurer’s fraud line to flag your account for unusual activity — insurance-side identity theft (fraudulent claims using your ID) is the primary risk here.
- If you see unfamiliar claims, dispute them with your insurer and request a corrected medical record.
- Stop the ongoing flow of your chiropractic claims data. HealthConsent files HIPAA restriction requests so the diagnosis-code and insurance-ID data exposed in this breach is not continuously re-shared.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Renovo Chiropractic Homepage
- Renovo Chiropractic Disclosure Letter
- Washington AG Data Breach Notifications Directory
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.