Keffer / Athletic Trainer System Data Breach Lawsuit
Data Breach · MDL Consolidated

Keffer Development (Athletic Trainer System) Data Breach Lawsuit

Published July 14, 2026

If you were a college athlete whose school used the Athletic Trainer System, your records may have been swept up in one of the largest campus-data hacks ever charged. Here is what the litigation covers — and why there is nothing to claim yet.

A conceptual data-breach image, representing the Keffer Development / Athletic Trainer System student-athlete data breach litigation, MDL 3159
Civil class actions allege Keffer Development Services, maker of the Athletic Trainer System software, failed to secure student-athlete records accessed at more than 100 colleges. The consolidated litigation is MDL No. 3159 in the Eastern District of Michigan.
Allegations Only · No Settlement Yet

This article describes civil class action complaints and a related federal criminal case. The civil claims are unproven allegations, and the criminal charges are accusations only — the accused is presumed innocent unless and until proven guilty. No civil defendant has been found liable, there is no certified class, and there is nothing to claim at this time. This page is informational and is not legal advice.

What Is This About?

A wave of class action lawsuits over a student-athlete data breach has been consolidated as In re: Keffer Development Services, LLC, Data Security Breach Litigation, MDL No. 3159, before Judge Mark A. Goldsmith in the U.S. District Court for the Eastern District of Michigan. Despite the "development services" name, this is not a hospital or healthcare-provider breach. Keffer Development Services, LLC makes the Athletic Trainer System (ATS) — software that college and university athletic departments use to store records on their athletes, including injury, treatment, and health information alongside personal identifying data.

The breach is tied to a federal criminal case. Prosecutors have charged a former University of Michigan football coach, Matthew Weiss, in a 24-count indictment, alleging he broke into athlete databases held in the Athletic Trainer System over a period of years. Those criminal charges are accusations only; Weiss is presumed innocent. The civil lawsuits covered here allege that Keffer — and, in many complaints, the universities — failed to reasonably secure the data. No civil defendant has been found liable, and the civil claims remain unproven allegations.

Status MDL Consolidated — In Litigation MDL 3159 · E.D. Mich. · Judge Mark A. Goldsmith · transferred Aug. 8, 2025 · 12 actions
Scale (alleged) 150,000+ athletes · 100+ schools Athletic Trainer System records · names, contact & health/injury data · access alleged 2015–Jan. 2023
Can I Claim? No — nothing to claim yet No settlement or claim form · related federal criminal case ongoing

How the Breach Happened

According to the federal indictment, the accused gained unauthorized access to student-athlete databases maintained in the Athletic Trainer System from 2015 through January 2023. Prosecutors allege he reached the databases of more than 100 colleges and universities and downloaded personal and health information on more than 150,000 athletes, in part by compromising athletic-trainer and administrator accounts and cracking stored passwords.

Prosecutors further allege that the athlete data was then used as a springboard to break into the personal social-media, email, and cloud-storage accounts of certain individuals — more than 2,000 athletes, along with roughly a thousand other people — and that female college athletes were disproportionately targeted. Because those are the allegations in a charging document, they describe what prosecutors intend to prove, not facts a court has found. The accused has been charged with unauthorized-access and identity-theft offenses and is presumed innocent.

What Was Exposed and Who Is Affected

The information at issue is the data held inside the Athletic Trainer System: student-athletes' personal identifying information along with health, injury, and treatment records that athletic departments keep. The affected population is current and former student-athletes — and some other students and alumni — at the many colleges and universities that used the ATS software during the 2015 to January 2023 window.

Many affected people learned of the incident through their school or through a victim-assistance program set up in connection with the criminal case, rather than through a notice bearing the vendor's name. Kent State University, for example, separately disclosed a breach of its ATS data in late 2023. Because this is fundamentally a hacking case rather than a routine vendor cyber-incident, exact institution counts and notification dates vary by school.

What the Civil Lawsuits Allege

The consolidated civil complaints name the accused individual along with one or more universities, and most also name Keffer Development Services. They allege that Keffer and the schools failed to implement reasonable safeguards for the athlete data, enabling the intrusion, and they assert claims under federal statutes including the Computer Fraud and Abuse Act and the Stored Communications Act, along with Title IX and state-law privacy and negligence claims.

As with any complaint, these are allegations only. No civil defendant has been found liable, no class has been certified, and the defendants dispute the claims. The civil MDL and the separate federal criminal prosecution are distinct proceedings, even though they arise from the same underlying events.

Is There a Keffer Settlement Yet?

No. This is litigation, not a settlement.

There is no settlement fund, no claim form, no payout, and no deadline to act. The MDL was only consolidated in August 2025 and is at an early stage before Judge Goldsmith. If the cases are resolved through a settlement, or a class is certified, a formal claims process with its own eligibility rules and deadlines would be announced separately, and OpenClassActions.com would cover it. Be skeptical of any site presenting a "Keffer settlement claim form" today — no court-approved settlement exists.

What Affected Athletes Can Do Now

• Keep any breach notice you received from your school or the victim-assistance program — it identifies what was involved and may be needed if a claims process later opens.
• Secure your personal accounts: strong, unique passwords and the strongest two-factor authentication available, since the alleged scheme moved from athletic records into personal accounts.
• Be alert to targeted phishing and extortion attempts referencing your school or athletics.
• There is nothing to file right now; watch for news of a certified class or settlement.

For breach settlements that are open and claimable now, see OCA's data breach settlements tracker.

Frequently Asked Questions

Is there a Keffer data breach settlement yet?

No. MDL 3159 is in early litigation in the Eastern District of Michigan. There is no fund, no claim form, and no deadline. No civil defendant has been found liable.

Who is affected?

Current and former student-athletes (and some other students and alumni) at colleges and universities that used the Athletic Trainer System during the 2015 to January 2023 period.

Do I need to file a claim?

No. Because this is a lawsuit and not a settlement, there is nothing to claim and no deadline. Keep any breach notice, secure your accounts, and watch for updates. If a class is certified or a settlement is reached, a claims process and deadlines would be announced separately.

Sources

• Judicial Panel on Multidistrict Litigation — transfer order creating MDL No. 3159: JPML Transfer Order
• Justia Dockets — In re Keffer Development Services, LLC, Data Security Breach Litigation, MDL No. 3159: Justia Docket (MDL 3159)
• U.S. Department of Justice (E.D. Mich.) — press release on the indictment (breach scope, charges): DOJ Press Release
• NBC News — reporting on the athlete data breach and charges: NBC News Coverage


For more class actions keep scrolling below.
Status MDL Consolidated — In Litigation (no settlement)
Case In re Keffer Development Services, LLC, Data Security Breach Litigation
MDL Number MDL No. 3159
Court U.S. District Court, E.D. Mich. · Judge Mark A. Goldsmith
Consolidated August 8, 2025 · 12 actions
Related Separate federal criminal case (E.D. Mich.) — charges only

Related Data Breach Cases & Settlements