Active breach tracker Southgate, Michigan Disclosed June 2, 2025

Renkim Corporation Data Breach 2025: 105,518 Affected. Healthcare Mailing Vendor Hacked. Class Action Consolidated in E.D. Mich. What To Do.

Renkim Corporation, a Southgate, Michigan print and mail business associate, filed a HIPAA breach with HHS OCR on June 2, 2025 reporting 105,518 affected individuals after an unauthorized actor accessed its network on March 2-3, 2025. Downstream covered entities including NYC Health + Hospitals and Ballad Health are notifying their patients. A consolidated putative class action is pending in the Eastern District of Michigan.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 2, 2025

Unauthorized actor accessed Renkim's network

Mar 3, 2025

Renkim detected suspicious activity and contained the intrusion

Apr 9, 2025

Renkim notified NYC Health + Hospitals that 5,728 of its patients were affected

May 9, 2025

Forensic review of impacted files completed (per Maine AG filing)

Jun 2, 2025

Renkim filed with HHS OCR (105,518 affected) and state AGs; individual notification letters began mailing

Jun 6, 2025

NYC Health + Hospitals issued downstream notice (5,728 patients; name, address, H+H patient status only)

Jun 25, 2025

Cundiff et al v. Renkim Corporation, 2:25-cv-11692, filed in U.S. District Court for the Eastern District of Michigan

Jun 26, 2025

Griffin v. Renkim Corporation filed; later closed and consolidated into Cundiff, 2:25-cv-11692

Jul 8, 2025

Ballad Health publicly disclosed it was a downstream affected client of the Renkim breach

Jan 30, 2026

Wakefield & Associates began mailing notification letters to its Renkim-affected individuals, offering 12 months of Cyberscout (TransUnion) credit monitoring

Mar 10, 2026

NYC Health + Hospitals revised its affected patient count from 5,728 to 5,086

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth (limited subset of individuals) Social Security number (limited subset of individuals)

03

Contact & insurance

Phishing + targeted scams

Full name Contact information (mailing address, phone, email) Name of Renkim's client (the provider or health plan) Client account number Dates of service

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood Strauss Borrelli PLLC Markovits, Stock & DeMarco, LLC The Lyon Firm Schubert Law Firm (SLFLA)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Renkim Corporation, a print and electronic mailing vendor based in Southgate, Michigan, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 2, 2025, disclosing that an unauthorized actor accessed its network on March 2-3, 2025 and exfiltrated files belonging to its provider and health-plan clients. The OCR portal lists 105,518 affected individuals, classified as a Hacking/IT Incident at a network server. Earlier state attorney general filings and trade press reported a lower figure of 46,864; the higher federal number reflects Renkim’s aggregated total as additional downstream covered entities completed their record reviews. Renkim is a business associate, so the envelope in your mailbox will come from your provider or health plan, not from Renkim.

Timeline

  • March 2, 2025 — An unauthorized actor accessed Renkim’s network environment.
  • March 3, 2025 — Renkim detected suspicious network activity, terminated the access, and engaged third-party forensic investigators and law enforcement.
  • April 9, 2025 — Renkim notified NYC Health + Hospitals that 5,728 of its patients were among the affected individuals.
  • May 9, 2025 — Forensic review of the impacted files was completed (the “discovery” date listed on Renkim’s Maine AG filing).
  • June 2, 2025 — Renkim filed a HIPAA breach report with HHS OCR reporting 105,518 affected, plus state attorney general notices in multiple states. Individual notification letters began mailing, with 12 months of Experian IdentityWorks credit monitoring offered.
  • June 6, 2025 — NYC Health + Hospitals issued its downstream notice covering 5,728 patients (name, address, H+H patient status only; this figure was later revised to 5,086 on March 10, 2026).
  • June 25, 2025Cundiff et al v. Renkim Corporation, 2:25-cv-11692, filed as a putative class action in the U.S. District Court for the Eastern District of Michigan.
  • June 26, 2025Griffin v. Renkim Corporation, 2:25-cv-11918, filed a day later in the same court; the Griffin case was subsequently closed with the docket directing all further entries to 2:25-cv-11692 (the Cundiff lead case).
  • July 8, 2025 — Ballad Health publicly disclosed that Renkim was its affected third-party mailing vendor.

What was exposed

Renkim’s role is to produce print and electronic mailings on behalf of its clients, so the files involved are mailing-list data. Across Renkim’s own substitute notice, the Maine AG filing, and downstream covered entity disclosures, the exposed dataset includes:

  • Full name
  • Contact information: mailing address, phone number, email address
  • Name of Renkim’s client (the provider or health plan that hired Renkim)
  • Client account number
  • Dates of service
  • Date of birth — limited subset of individuals
  • Social Security number — limited subset of individuals

What was exposed for you depends on which Renkim client held your data. NYC Health + Hospitals has stated that the only information of its affected patients that was involved was their name, address, and the fact that they are an H+H patient. No financial information, SSN, DOB, or clinical content was disclosed for that population. Wakefield & Associates’ population had a notably different exposure profile: for those individuals, the data included name, dates of medical service, physician or medical facility information, medical condition or treatment information, and patient account number. Other Renkim clients reported broader exposure including SSN and DOB for a subset of their members. Read your individual letter carefully; the data elements listed there are the authoritative description of what was lost for your record.

Who’s notifying you (BA — notice from your provider)

Renkim is a HIPAA business associate, not a covered entity. Under the HIPAA Breach Notification Rule, the obligation to notify individuals falls on the covered entity that contracted with Renkim. That is why the envelope on your kitchen counter may say:

  • NYC Health + Hospitals (5,086 patients; name, address, and H+H patient status only; count revised from an initial 5,728 on March 10, 2026)
  • Ballad Health (disclosed July 8, 2025)
  • Wakefield & Associates (healthcare debt collection agency; began notifying its affected individuals on or about January 30, 2026; offered 12 months of Cyberscout, a TransUnion company, credit monitoring; PHI for this population included name, dates of medical service, physician or medical facility information, medical condition or treatment information, and patient account number; Wakefield’s dedicated assistance line: 1-833-986-3615, Monday through Friday 9 a.m. to 8 p.m. Eastern; Wakefield has since discontinued its relationship with Renkim)
  • another provider, health plan, or financial-services company that uses Renkim for outbound print and email mailings

If you received a letter from any organization referencing Renkim Corporation, you are in the population this page covers.

Class-action posture

The active consolidated case is Cundiff et al v. Renkim Corporation, 2:25-cv-11692 (E.D. Mich., filed June 25, 2025). A second-filed action, Griffin v. Renkim Corporation (2:25-cv-11918), was closed shortly after filing and the docket directs all further entries to the Cundiff lead case. The complaints allege that Renkim failed to maintain reasonable network security commensurate with the volume and sensitivity of the protected health information it processed for its healthcare clients. Plaintiffs’ firms publicly investigating or accepting affected individuals include Federman & Sherwood, Strauss Borrelli PLLC, Markovits, Stock & DeMarco, LLC, The Lyon Firm, and Schubert Law Firm (SLFLA).

On the regulatory side, the breach is open on the HHS Office for Civil Rights portal with no public enforcement resolution yet. State attorney general notices have been filed in multiple states, with confirmed public filings in Maine (46,864 individuals), Vermont (June 23, 2025), Texas (466 residents, including SSN exposure), and California (notified August 8, 2025). Additional state AG filings (Iowa, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, and Washington) are associated with the NYC Health + Hospitals downstream disclosure.

What to do

This week:

  1. Enroll in the complimentary credit monitoring. Renkim is offering 12 months of Experian IdentityWorks to affected individuals. Your enrollment code is in your letter.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account identity fraud and works independently of whether you enroll in Experian IdentityWorks.
  3. If your letter lists Social Security number as an exposed data element, file IRS Form 14039 (Identity Theft Affidavit) to block a fraudulent tax return under your SSN.

This month:

  1. Review your Explanation of Benefits statements from your health plan for services you did not receive. Medical identity theft surfaces in EOBs weeks or months after the underlying fraud.
  2. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
  3. Watch for additional letters from other Renkim clients. Renkim served multiple covered entities, and downstream notification waves are still going out.

Sources

Facts above are cross-referenced against Renkim’s own substitute notice, the Maine, Vermont, Texas, and California AG filings, the Wakefield downstream notice PDF, HIPAA Journal and HIPAA Times trade-press summaries, NYC Health + Hospitals’ downstream disclosure, the Bloomberg Law coverage, and the active E.D. Mich. docket for Cundiff et al v. Renkim Corporation. The March 10, 2026 revision to NYC H+H’s patient count (5,086) is sourced from ClaimDepot, which cross-references the NYC H+H press release.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.