Renkim Corporation Data Breach 2025: 105,518 Affected. Healthcare Mailing Vendor Hacked. Class Action Consolidated in E.D. Mich. What To Do.
Renkim Corporation, a Southgate, Michigan print and mail business associate, filed a HIPAA breach with HHS OCR on June 2, 2025 reporting 105,518 affected individuals after an unauthorized actor accessed its network on March 2-3, 2025. Downstream covered entities including NYC Health + Hospitals and Ballad Health are notifying their patients. A consolidated putative class action is pending in the Eastern District of Michigan.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 2, 2025
Unauthorized actor accessed Renkim's network
Mar 3, 2025
Renkim detected suspicious activity and contained the intrusion
Apr 9, 2025
Renkim notified NYC Health + Hospitals that 5,728 of its patients were affected
May 9, 2025
Forensic review of impacted files completed (per Maine AG filing)
Jun 2, 2025
Renkim filed with HHS OCR (105,518 affected) and state AGs; individual notification letters began mailing
Jun 6, 2025
NYC Health + Hospitals issued downstream notice (5,728 patients; name, address, H+H patient status only)
Jun 25, 2025
Cundiff et al v. Renkim Corporation, 2:25-cv-11692, filed in U.S. District Court for the Eastern District of Michigan
Jun 26, 2025
Griffin v. Renkim Corporation filed; later closed and consolidated into Cundiff, 2:25-cv-11692
Jul 8, 2025
Ballad Health publicly disclosed it was a downstream affected client of the Renkim breach
Jan 30, 2026
Wakefield & Associates began mailing notification letters to its Renkim-affected individuals, offering 12 months of Cyberscout (TransUnion) credit monitoring
Mar 10, 2026
NYC Health + Hospitals revised its affected patient count from 5,728 to 5,086
Mar 2, 2025
Unauthorized actor accessed Renkim's network
Mar 3, 2025
Renkim detected suspicious activity and contained the intrusion
Apr 9, 2025
Renkim notified NYC Health + Hospitals that 5,728 of its patients were affected
May 9, 2025
Forensic review of impacted files completed (per Maine AG filing)
Jun 2, 2025
Renkim filed with HHS OCR (105,518 affected) and state AGs; individual notification letters began mailing
Jun 6, 2025
NYC Health + Hospitals issued downstream notice (5,728 patients; name, address, H+H patient status only)
Jun 25, 2025
Cundiff et al v. Renkim Corporation, 2:25-cv-11692, filed in U.S. District Court for the Eastern District of Michigan
Jun 26, 2025
Griffin v. Renkim Corporation filed; later closed and consolidated into Cundiff, 2:25-cv-11692
Jul 8, 2025
Ballad Health publicly disclosed it was a downstream affected client of the Renkim breach
Jan 30, 2026
Wakefield & Associates began mailing notification letters to its Renkim-affected individuals, offering 12 months of Cyberscout (TransUnion) credit monitoring
Mar 10, 2026
NYC Health + Hospitals revised its affected patient count from 5,728 to 5,086
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Renkim Corporation, a print and electronic mailing vendor based in Southgate, Michigan, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 2, 2025, disclosing that an unauthorized actor accessed its network on March 2-3, 2025 and exfiltrated files belonging to its provider and health-plan clients. The OCR portal lists 105,518 affected individuals, classified as a Hacking/IT Incident at a network server. Earlier state attorney general filings and trade press reported a lower figure of 46,864; the higher federal number reflects Renkim’s aggregated total as additional downstream covered entities completed their record reviews. Renkim is a business associate, so the envelope in your mailbox will come from your provider or health plan, not from Renkim.
Timeline
- March 2, 2025 — An unauthorized actor accessed Renkim’s network environment.
- March 3, 2025 — Renkim detected suspicious network activity, terminated the access, and engaged third-party forensic investigators and law enforcement.
- April 9, 2025 — Renkim notified NYC Health + Hospitals that 5,728 of its patients were among the affected individuals.
- May 9, 2025 — Forensic review of the impacted files was completed (the “discovery” date listed on Renkim’s Maine AG filing).
- June 2, 2025 — Renkim filed a HIPAA breach report with HHS OCR reporting 105,518 affected, plus state attorney general notices in multiple states. Individual notification letters began mailing, with 12 months of Experian IdentityWorks credit monitoring offered.
- June 6, 2025 — NYC Health + Hospitals issued its downstream notice covering 5,728 patients (name, address, H+H patient status only; this figure was later revised to 5,086 on March 10, 2026).
- June 25, 2025 — Cundiff et al v. Renkim Corporation, 2:25-cv-11692, filed as a putative class action in the U.S. District Court for the Eastern District of Michigan.
- June 26, 2025 — Griffin v. Renkim Corporation, 2:25-cv-11918, filed a day later in the same court; the Griffin case was subsequently closed with the docket directing all further entries to 2:25-cv-11692 (the Cundiff lead case).
- July 8, 2025 — Ballad Health publicly disclosed that Renkim was its affected third-party mailing vendor.
What was exposed
Renkim’s role is to produce print and electronic mailings on behalf of its clients, so the files involved are mailing-list data. Across Renkim’s own substitute notice, the Maine AG filing, and downstream covered entity disclosures, the exposed dataset includes:
- Full name
- Contact information: mailing address, phone number, email address
- Name of Renkim’s client (the provider or health plan that hired Renkim)
- Client account number
- Dates of service
- Date of birth — limited subset of individuals
- Social Security number — limited subset of individuals
What was exposed for you depends on which Renkim client held your data. NYC Health + Hospitals has stated that the only information of its affected patients that was involved was their name, address, and the fact that they are an H+H patient. No financial information, SSN, DOB, or clinical content was disclosed for that population. Wakefield & Associates’ population had a notably different exposure profile: for those individuals, the data included name, dates of medical service, physician or medical facility information, medical condition or treatment information, and patient account number. Other Renkim clients reported broader exposure including SSN and DOB for a subset of their members. Read your individual letter carefully; the data elements listed there are the authoritative description of what was lost for your record.
Who’s notifying you (BA — notice from your provider)
Renkim is a HIPAA business associate, not a covered entity. Under the HIPAA Breach Notification Rule, the obligation to notify individuals falls on the covered entity that contracted with Renkim. That is why the envelope on your kitchen counter may say:
- NYC Health + Hospitals (5,086 patients; name, address, and H+H patient status only; count revised from an initial 5,728 on March 10, 2026)
- Ballad Health (disclosed July 8, 2025)
- Wakefield & Associates (healthcare debt collection agency; began notifying its affected individuals on or about January 30, 2026; offered 12 months of Cyberscout, a TransUnion company, credit monitoring; PHI for this population included name, dates of medical service, physician or medical facility information, medical condition or treatment information, and patient account number; Wakefield’s dedicated assistance line: 1-833-986-3615, Monday through Friday 9 a.m. to 8 p.m. Eastern; Wakefield has since discontinued its relationship with Renkim)
- another provider, health plan, or financial-services company that uses Renkim for outbound print and email mailings
If you received a letter from any organization referencing Renkim Corporation, you are in the population this page covers.
Class-action posture
The active consolidated case is Cundiff et al v. Renkim Corporation, 2:25-cv-11692 (E.D. Mich., filed June 25, 2025). A second-filed action, Griffin v. Renkim Corporation (2:25-cv-11918), was closed shortly after filing and the docket directs all further entries to the Cundiff lead case. The complaints allege that Renkim failed to maintain reasonable network security commensurate with the volume and sensitivity of the protected health information it processed for its healthcare clients. Plaintiffs’ firms publicly investigating or accepting affected individuals include Federman & Sherwood, Strauss Borrelli PLLC, Markovits, Stock & DeMarco, LLC, The Lyon Firm, and Schubert Law Firm (SLFLA).
On the regulatory side, the breach is open on the HHS Office for Civil Rights portal with no public enforcement resolution yet. State attorney general notices have been filed in multiple states, with confirmed public filings in Maine (46,864 individuals), Vermont (June 23, 2025), Texas (466 residents, including SSN exposure), and California (notified August 8, 2025). Additional state AG filings (Iowa, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, and Washington) are associated with the NYC Health + Hospitals downstream disclosure.
What to do
This week:
- Enroll in the complimentary credit monitoring. Renkim is offering 12 months of Experian IdentityWorks to affected individuals. Your enrollment code is in your letter.
- Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account identity fraud and works independently of whether you enroll in Experian IdentityWorks.
- If your letter lists Social Security number as an exposed data element, file IRS Form 14039 (Identity Theft Affidavit) to block a fraudulent tax return under your SSN.
This month:
- Review your Explanation of Benefits statements from your health plan for services you did not receive. Medical identity theft surfaces in EOBs weeks or months after the underlying fraud.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
- Watch for additional letters from other Renkim clients. Renkim served multiple covered entities, and downstream notification waves are still going out.
Sources
- Renkim Corporation: Notice of Data Security Incident (PRNewswire) — the entity’s own substitute notice, including the dedicated call center (1-866-461-3496).
- HIPAA Journal: Cyberattacks Announced by Renkim Corporation & The Vascular Experts — trade-press summary identifying NYC H+H and Ballad Health as confirmed downstream clients.
- HIPAA Times: Business associate Renkim discloses breach affecting nearly 47,000 — confirms BA status, downstream notification process, and 12-month Experian IdentityWorks remediation.
- Maine Attorney General: Renkim Corporation breach notice — state regulatory filing with incident date (3/2/2025), discovery date (5/9/2025), notification date (6/2/2025), and 46,864 individuals reported at the state level.
- Bloomberg Law: Renkim Sued Over Data Breach of Clients’ Mailing Information — coverage of the first-filed Griffin v. Renkim complaint.
- Justia Dockets: Cundiff et al v. Renkim Corporation, 2:25-cv-11692 (E.D. Mich.) — the active consolidated lead case in the Eastern District of Michigan.
- NYC Health + Hospitals: Notification of Possible PHI Disclosure (Renkim) — downstream covered entity notice naming Renkim and 5,728 affected patients (name, address, H+H patient status only).
- ClassAction.org: Renkim Corporation Data Breach Lawsuit Investigation — summary of plaintiff-firm class-action investigations.
- Strauss Borrelli PLLC: Renkim Data Breach Investigation — plaintiff-firm investigation announcement (June 3, 2025).
- HHS Office for Civil Rights Breach Portal — the federal regulatory record listing Renkim Corporation, 105,518 affected, Hacking/IT Incident at Network Server, submitted 2025-06-02.
- Wakefield & Associates: Notice of Data Privacy Event (Renkim) — downstream client notice PDF; PHI categories and Cyberscout monitoring offer for Wakefield population.
- Emery Reddy: Wakefield & Associates Data Breach — confirms January 30, 2026 notification start date and 12 months Cyberscout (TransUnion) monitoring.
- Federman & Sherwood: Renkim Corporation Data Breach — Texas AG filing reference; 466 Texas residents affected, including SSN exposure.
- Vermont Attorney General: Renkim Corporation Data Breach Notice — state AG consumer notice, June 23, 2025.
- California Attorney General: Data Security Breaches list — Renkim listed with incident dates 03/02/2025 and 03/03/2025; California AG notified 08/08/2025.
Facts above are cross-referenced against Renkim’s own substitute notice, the Maine, Vermont, Texas, and California AG filings, the Wakefield downstream notice PDF, HIPAA Journal and HIPAA Times trade-press summaries, NYC Health + Hospitals’ downstream disclosure, the Bloomberg Law coverage, and the active E.D. Mich. docket for Cundiff et al v. Renkim Corporation. The March 10, 2026 revision to NYC H+H’s patient count (5,086) is sourced from ClaimDepot, which cross-references the NYC H+H press release.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Renkim Corporation: Notice of Data Security Incident (PRNewswire)
- HIPAA Journal: Cyberattacks Announced by Renkim Corporation & The Vascular Experts
- HIPAA Times: Business associate Renkim discloses breach affecting nearly 47,000
- Maine Attorney General: Renkim Corporation breach notice
- Bloomberg Law: Renkim Sued Over Data Breach of Clients' Mailing Information
- Justia Dockets: Cundiff et al v. Renkim Corporation, 2:25-cv-11692 (E.D. Mich.)
- NYC Health + Hospitals: Notification of Possible PHI Disclosure (Renkim)
- ClassAction.org: Renkim Corporation Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC: Renkim Data Breach Investigation
- HHS Office for Civil Rights Breach Portal
- Wakefield & Associates: Notice of Data Privacy Event (Renkim)
- Emery Reddy: Wakefield & Associates Data Breach (Renkim downstream)
- Federman & Sherwood: Renkim Corporation Data Breach (Texas AG filing reference)
- Vermont Attorney General: Renkim Corporation Data Breach Notice to Consumers
- California Attorney General: Renkim Corporation breach listing
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.