Hy-Vee agrees to settle the class action lawsuit over its months-long data breach

Hy-Vee Gas, 1103 N Dodge St, Iowa City. — Emma McClatchey/Little Village

Hy-Vee has reached a preliminary settlement agreement in the class action lawsuit filed by customers who had their credit and debit card information stolen during a massive data breach at some of the company’s stores in 2018 and 2019.

According to papers filed in an Illinois federal court on Tuesday, the company began negotiating the proposed settlement deal with the plaintiffs’ attorneys after a judge refused to dismiss the lawsuit in April 2020. The next step in the lawsuit would have been the discovery phase, during which company officials would have been compelled to testify about the data breach under oath and produce documents related to it.

On Aug. 14, 2019, Hy-Vee issued a press release announcing it had discovered a data breach that affected customers who used debit and credit cards at its fuel pumps, drive-thru coffee shops and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). No purchases at “our grocery stores, drugstores and inside our convenience stores” were at risk, the company explained, because those sales are processed using a different, more secure system.

Locations in all eight Midwestern states where the chain has its more than 240 stores were affected by the breach, which lasted between seven to eight months, starting in December 2018 at some locations. Information from more than 5.3 million debit and credit cards was stolen during the data breach.

The stolen debit and credit card information was later reported to be on sale at Joker’s Stash, a site that traffics in stolen card data.

In October, two Hy-Vee customers who had their data stolen — one a resident of Illinois, the other a resident of Missouri — filed a class action lawsuit against Hy-Vee over the data breach. The following month, two Iowans were added as plaintiffs in the lawsuit.

According to a database of sites involved in the data breach, posted by the company, Hy-Vee locations in 41 Iowa cities were infected with the data-stealing malware, including locations in Iowa City, Coralville, Cedar Rapids and Marion.

If the court approves the settlement deal, people “residing in the United States who used a payment card to make a purchase at an affected Hy-Vee point-of-sale device during the Security Incident” will be eligible for a reimbursement of up to $225 “for the following categories of potential expenses incurred as a result of the Data Breach.”

• reimbursement of up to three (3) hours of documented lost time (at $20 per hour) spent dealing with replacement card issues or in reversing fraudulent charges (only if at least one full hour was spent and if it can be documented with reasonable specificity);

• an additional $20 payment for each credit or debit card on which documented fraudulent charges were incurred that were later reimbursed;

• unreimbursed bank fees, card reissuance fees, overdraft fees, late fees, charges related to unavailability of funds, and over-limit fees;

• long distance telephone charges, postage, cell minutes (if charged by the minute), text messages (if charged by the message), and Internet usage charges (if charged by the minute or by the amount of data usage);

• unreimbursed charges from banks or credit card companies;

• interest on payday loans due to card cancelation or due to over-limit situation;

• costs of credit report(s); and

• costs of credit monitoring and identity theft protection

Some people “who experienced extraordinary expenses will be eligible for reimbursement in the amount up to $5,000 per claim.” The 11 people listed as plaintiffs in the lawsuit will also receive “incentive awards” of $2,000 each.

The plaintiffs’ attorneys are seeking $727,000 in fees, “a number that the parties agreed upon with the assistance of the mediator through a mediator’s proposal,” according to the legal memorandum on the settlement filed Tuesday. Hy-Vee is also expected to pay $12,000 to cover the attorneys’ expenses.

In addition to agreeing to these payments, Hy-Vee agrees as part of the settlement to take “certain measures to increase its data security and consumer information protection procedures for a period of two years.”

These measures include: appointment of a Group Vice President, IT Security; maintenance of a written information security program; employee training on data security policies and detecting/handling suspicious emails; maintenance of a policy for responding to information security events; compliance with [current payment card industry data security] standards; and requiring third-party vendors to use multi-factor authentication to access Hy-Vee’s payment card environment.

If the proposed settlement is approved by the federal judge overseeing the case, anyone affected by the data breach will have 120 days following public notice of that approval to file a claim through a website the plaintiffs’ attorneys will create.

Thoughts? Tips? A cute picture of a dog? Share them with LV »


Iowa City Book Festival

Oct. 18-24

A celebration of books, writing and ideas

Find Out More


Summer Programs 2020

Get 150+ local restaurants delivered to your door in the Iowa City & Cedar Rapids areas!

The Future is Unwritten

You look to Little Village for today’s stories. Your sustaining support will help us write tomorrow’s.


$10/mo or $120/year
The cost of doing this work really adds up! Your contribution at this level will cover telephone and internet expenses for one month at the LV editorial offices.


$20/mo or $240/year
$240 is enough to cover one month’s costs for sending out our weekly entertainment newsletter, The Weekender. Make a contribution at this level to put a little more oomph on your support and your weekend.


$30/mo or $360/year
(AUTO-RENEW) connects eastern Iowa culture with the world. Your contribution at this level will cover the site’s hosting costs for three months. A bold move for our boldest supporters!

All monthly and annual contributors receive:

  • Recognition on our Supporters page (aliases welcome)
  • Exclusive early access when we release new half-price gift cards
  • Access to a secret Facebook group where you can connect with other supporters and discuss the latest news and upcoming events (and maybe swap pet pics?) with the LV staff
  • Invitations to periodic publisher chats (held virtually for now) to meet with Matt and give him a piece of your mind, ask your burning questions and hear more about the future plans for Little Village, Bread & Butter Magazine, Witching Hour Festival and our other endeavors.