Active breach tracker Auburn, WA Disclosed March 10, 2026

Renovo Chiropractic & Wellness Data Breach 2026: 538 Washington Patients Exposed via Off-Site Storage Break-In. Paper EOBs Stolen. What To Do

Renovo Chiropractic & Wellness in Auburn, Washington, disclosed a January 2026 break-in at an off-site archived storage facility. Approximately three years (2021-2024) of paper Explanation of Benefits documents stolen, containing names, insurance IDs, and diagnosis codes for 538 patients. No SSN, financial data, or contact info in scope. No credit monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 16, 2026

Break-in at off-site archived storage facility; discovered same day

Jan 16, 2026

Attacker gained access

Mar 10, 2026

Patient notification letters mailed (53 days after discovery; within HIPAA 60-day window)

Mar 10, 2026

Disclosed publicly

Mar 16, 2026

HHS OCR breach portal submission

Data exposed

01

High-risk identity

Enables financial + identity theft

Explicitly NOT in scope: Social Security number, phone number, email address, financial account information, other private contact information

02

Health records

Don't expire and can't be reissued

Diagnosis codes

03

Contact & insurance

Phishing + targeted scams

Patient name Insurance ID number
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Renovo Chiropractic & Wellness LLC is a small single-location chiropractic and wellness practice at 914 D Street NE, Suite 101, Auburn, Washington (King County, south of Seattle). The practice focuses on “structural correction” chiropractic, plus spinal decompression, laser therapy, cryotherapy, rehabilitation, and motor vehicle accident / workers’ comp injury care.

On January 16, 2026, there was a physical break-in at an off-site archived storage facility used by the practice (not the main clinic). The break-in was discovered the same day. Items taken were approximately three years of paper Explanation of Benefits (EOB) documents covering patients seen from January 1, 2021 through December 31, 2024.

Renovo mailed patient notification letters on March 10, 2026 — 53 days after discovery, within HIPAA’s 60-day notification window. The HHS OCR breach portal submission followed on March 16, 2026 — confirming 538 affected individuals.

No electronic devices, backup media, or vehicle theft was involved — this was a physical document theft from a storage facility.

What was stolen

Per the entity’s disclosure letter, the stolen EOBs contained:

  • Patient names
  • Insurance ID numbers
  • Diagnosis codes

Renovo explicitly states the documents did NOT include:

  • Social Security numbers
  • Phone numbers
  • Email addresses
  • Financial account information
  • Other private contact information

The exposure is clinical and insurance — diagnosis codes paired with insurance ID numbers. This is enough information to discriminate or commit insurance-side identity theft (filing fraudulent claims under the victim’s insurance ID), but not enough for typical financial identity theft.

What Renovo Chiropractic is offering

Renovo’s response is notably thin by 2026 standards:

  • No credit monitoring offered
  • No identity-theft protection offered
  • No dedicated call center beyond the (253) 939-1942 info line
  • Mitigation guidance: “Review any EOB statements or insurance statements you receive” and contact your insurer if unrecognized services appear
  • Reported to law enforcement; notified insurance carrier

This response is likely defensible given the absence of SSN or financial data, but represents the floor of what HIPAA permits.

What to do

  1. Read your specific notification letter to confirm what records were stolen.
  2. Watch your insurance Explanation of Benefits statements very carefully for unfamiliar chiropractic, imaging, or related claims that you did not authorize.
  3. Contact your health insurer’s fraud line to flag your account for unusual activity — insurance-side identity theft (fraudulent claims using your ID) is the primary risk here.
  4. If you see unfamiliar claims, dispute them with your insurer and request a corrected medical record.
  5. Stop the ongoing flow of your chiropractic claims data. HealthConsent files HIPAA restriction requests so the diagnosis-code and insurance-ID data exposed in this breach is not continuously re-shared.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.