Advertisement

Federal judge rejects Hy-Vee’s attempt to dismiss class action lawsuit over its months-long data breach


Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

On Monday, a federal judge in Illinois rejected a request by Hy-Vee to dismiss a class action lawsuit filed by customers who had their credit and debit card information stolen during a massive data breach at some of the company’s stores.

Judge Michael Mihm did dismiss three of the claims made by the plaintiffs — negligence, unjust enrichment and a claim related to third-party contracts — but found they did have viable claims that Hy-Vee had violated an implied contract with customers to take reasonable measures to safeguard consumer payment information, failed to notify customers of the data breach in a timely manner and may have violated certain consumer fraud laws.

The case can now proceed to discovery, the pre-trial phase in which the plaintiffs’ attorneys will be able to question company officials and request documents related to the months-long data breach.

On Aug. 14, 2019, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.

Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months. Information from more than 5.3 million debit and credit cards was stolen during the data breach.

The stolen debit and credit card information was later reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.

In October, two Hy-Vee customers who had their data stolen — one a resident of Illinois, the other a resident of Missouri — filed a class action lawsuit against Hy-Vee over the data breach. The following month, two Iowans were added as plaintiffs in the lawsuit.

According to a database of sites involved in the data breach, posted by the company, Hy-Vee locations in 41 Iowa cities were infected with the data-stealing malware, including locations in Iowa City, Coralville, Cedar Rapids and Marion.


[gravityform id="17" title="false" description="false" ajax="true"]
<div class='gf_browser_unknown gform_wrapper your-village-form_wrapper' id='gform_wrapper_17' ><a id='gf_17' class='gform_anchor' ></a><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_17' id='gform_17' class='your-village-form' action='/federal-judge-rejects-hy-vees-attempt-to-dismiss-class-action-lawsuit-over-its-months-long-data-breach/#gf_17'> <div class='gform_body'><ul id='gform_fields_17' class='gform_fields top_label form_sublabel_below description_below'><li id='field_17_7' class='gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible' ><h3 style="font-weight:800; font-size:34px;">Let's get started</h3> <p style="font-size:18px;">Fill out this form and we'll contact you with information about marketing with Little Village!</p></li><li id='field_17_4' class='gfield field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label gfield_label_before_complex' for='input_17_4_3' ></label><div class='ginput_complex ginput_container no_prefix has_first_name no_middle_name has_last_name no_suffix gf_name_has_2 ginput_container_name gfield_trigger_change' id='input_17_4'> <span id='input_17_4_3_container' class='name_first' > <input type='text' name='input_4.3' id='input_17_4_3' value='' aria-label='First name' tabindex='2' aria-invalid="false" placeholder='First name'/> <label for='input_17_4_3' >First</label> </span> <span id='input_17_4_6_container' class='name_last' > <input type='text' name='input_4.6' id='input_17_4_6' value='' aria-label='Last name' tabindex='4' aria-invalid="false" placeholder='Last name'/> <label for='input_17_4_6' >Last</label> </span> </div></li><li id='field_17_5' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_17_5' ><span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_text'><input name='input_5' id='input_17_5' type='text' value='' class='large' tabindex='6' placeholder='Company name' aria-required="true" aria-invalid="false" /></div></li><li id='field_17_3' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_17_3' ><span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_email'> <input name='input_3' id='input_17_3' type='text' value='' class='large' tabindex='7' placeholder='Your email address' aria-required="true" aria-invalid="false"/> </div></li><li id='field_17_8' class='gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_' ><label class='gfield_label' for='input_17_8' >Name</label><div class='ginput_container'><input name='input_8' id='input_17_8' type='text' value='' /></div><div class='gfield_description'>This field is for validation purposes and should be left unchanged.</div></li> </ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_17' class='gform_button button' value='SUBMIT' tabindex='8' onclick='if(window["gf_submitting_17"]){return false;} window["gf_submitting_17"]=true; ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_17"]){return false;} window["gf_submitting_17"]=true; jQuery("#gform_17").trigger("submit",[true]); }' /> <input type='hidden' name='gform_ajax' value='form_id=17&amp;title=&amp;description=&amp;tabindex=1' /> <input type='hidden' class='gform_hidden' name='is_submit_17' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='17' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_17' value='WyJbXSIsIjlmNzc1YTEyZmZjNmYyODk5Mzk0NDM3ZjRlOGYyZDNmIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_17' id='gform_target_page_number_17' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_17' id='gform_source_page_number_17' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> <p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="133"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_17' id='gform_ajax_frame_17'>This iframe contains the logic required to handle Ajax powered Gravity Forms.</iframe> <script type='text/javascript'>jQuery(document).ready(function($){gformInitSpinner( 17, 'https://littlevillagemag.com/wp-content/plugins/gravityforms-asdf111aasdfffs-nope/images/spinner.gif' );jQuery('#gform_ajax_frame_17').load( function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_17');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_17').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;if(is_form){jQuery('#gform_wrapper_17').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_17').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_17').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_17').offset().top); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_17').val();gformInitSpinner( 17, 'https://littlevillagemag.com/wp-content/plugins/gravityforms-asdf111aasdfffs-nope/images/spinner.gif' );jQuery(document).trigger('gform_page_loaded', [17, current_page]);window['gf_submitting_17'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_17').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_17').offset().top);jQuery(document).trigger('gform_confirmation_loaded', [17]);window['gf_submitting_17'] = false;}, 50);}else{jQuery('#gform_17').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [17, current_page]);} );} );</script><script type='text/javascript'> if(typeof gf_global == 'undefined') var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2},"base_url":"https:\/\/littlevillagemag.com\/wp-content\/plugins\/gravityforms-asdf111aasdfffs-nope","number_formats":[],"spinnerUrl":"https:\/\/littlevillagemag.com\/wp-content\/plugins\/gravityforms-asdf111aasdfffs-nope\/images\/spinner.gif"};jQuery(document).bind('gform_post_render', function(event, formId, currentPage){if(formId == 17) {if(typeof Placeholders != 'undefined'){ Placeholders.enable(); }} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} );</script><script type='text/javascript'> jQuery(document).ready(function(){jQuery(document).trigger('gform_post_render', [17, 1]) } ); </script>