Federal judge rejects Hy-Vee’s attempt to dismiss class action lawsuit over its months-long data breach

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

On Monday, a federal judge in Illinois rejected a request by Hy-Vee to dismiss a class action lawsuit filed by customers who had their credit and debit card information stolen during a massive data breach at some of the company’s stores.

Judge Michael Mihm did dismiss three of the claims made by the plaintiffs — negligence, unjust enrichment and a claim related to third-party contracts — but found they did have viable claims that Hy-Vee had violated an implied contract with customers to take reasonable measures to safeguard consumer payment information, failed to notify customers of the data breach in a timely manner and may have violated certain consumer fraud laws.

The case can now proceed to discovery, the pre-trial phase in which the plaintiffs’ attorneys will be able to question company officials and request documents related to the months-long data breach.

On Aug. 14, 2019, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.

Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months. Information from more than 5.3 million debit and credit cards was stolen during the data breach.

The stolen debit and credit card information was later reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.

In October, two Hy-Vee customers who had their data stolen — one a resident of Illinois, the other a resident of Missouri — filed a class action lawsuit against Hy-Vee over the data breach. The following month, two Iowans were added as plaintiffs in the lawsuit.

According to a database of sites involved in the data breach, posted by the company, Hy-Vee locations in 41 Iowa cities were infected with the data-stealing malware, including locations in Iowa City, Coralville, Cedar Rapids and Marion.

Thoughts? Tips? A cute picture of a dog? Share them with LV »



Summer Programs 2020

Get 150+ local restaurants delivered to your door in the Iowa City & Cedar Rapids areas!

Don’t let other people’s opinions win.

Vote for your favorite people, places and events in the Iowa City-Cedar Rapids area! In a time when local businesses need our support more than ever, your vote will send a little love to the places that make our community special. And don’t forget to tell us why—the best comments will be published in our December Best of the CRANDIC 2021 issue! Voting ends September 30.

Read the Best of the CRANDIC issue, on stands now

The Future is Unwritten

You look to Little Village for today’s stories. Your sustaining support will help us write tomorrow’s.


$10/mo or $120/year
The cost of doing this work really adds up! Your contribution at this level will cover telephone and internet expenses for one month at the LV editorial offices.


$20/mo or $240/year
$240 is enough to cover one month’s costs for sending out our weekly entertainment newsletter, The Weekender. Make a contribution at this level to put a little more oomph on your support and your weekend.


$30/mo or $360/year
(AUTO-RENEW) connects eastern Iowa culture with the world. Your contribution at this level will cover the site’s hosting costs for three months. A bold move for our boldest supporters!

All monthly and annual contributors receive:

  • Recognition on our Supporters page (aliases welcome)
  • Exclusive early access when we release new half-price gift cards
  • Access to a secret Facebook group where you can connect with other supporters and discuss the latest news and upcoming events (and maybe swap pet pics?) with the LV staff
  • Invitations to periodic publisher chats (held virtually for now) to meet with Matt and give him a piece of your mind, ask your burning questions and hear more about the future plans for Little Village, Bread & Butter Magazine, Witching Hour Festival and our other endeavors.