Federal judge rejects Hy-Vee’s attempt to dismiss class action lawsuit over its months-long data breach

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

On Monday, a federal judge in Illinois rejected a request by Hy-Vee to dismiss a class action lawsuit filed by customers who had their credit and debit card information stolen during a massive data breach at some of the company’s stores.

Judge Michael Mihm did dismiss three of the claims made by the plaintiffs — negligence, unjust enrichment and a claim related to third-party contracts — but found they did have viable claims that Hy-Vee had violated an implied contract with customers to take reasonable measures to safeguard consumer payment information, failed to notify customers of the data breach in a timely manner and may have violated certain consumer fraud laws.

The case can now proceed to discovery, the pre-trial phase in which the plaintiffs’ attorneys will be able to question company officials and request documents related to the months-long data breach.

On Aug. 14, 2019, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.

Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months. Information from more than 5.3 million debit and credit cards was stolen during the data breach.

The stolen debit and credit card information was later reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.

In October, two Hy-Vee customers who had their data stolen — one a resident of Illinois, the other a resident of Missouri — filed a class action lawsuit against Hy-Vee over the data breach. The following month, two Iowans were added as plaintiffs in the lawsuit.

According to a database of sites involved in the data breach, posted by the company, Hy-Vee locations in 41 Iowa cities were infected with the data-stealing malware, including locations in Iowa City, Coralville, Cedar Rapids and Marion.