Hy-Vee Hit with Class Action Lawsuit Over July 2019 Data Breach [UPDATE]
Last Updated on August 19, 2021
Perdue et al. v. Hy-Vee, Inc.
Filed: October 15, 2019 ◆§ 1:19-cv-01330
Hy-Vee faces a class action lawsuit over a data breach that allegedly exposed the credit and debit card information of millions of customers.
Case Updates
August 19, 2021 – Judge Gives Final Approval to Hy-Vee Data Breach Settlement
A settlement aiming to resolve the claims detailed on this page has received a judge’s final approval following a fairness hearing on July 19.
In an order issued July 21, U.S. District Judge Michael Mihm found that the proposed deal and adjusted attorneys’ fees were “fair, reasonable, and adequate.”
According to court documents, Judge Mihm had initially expressed concerns about the amount of attorneys’ fees being sought, noting that the requested sum of roughly $1.1 million exceeded the expected payout to those covered by the settlement. After the plaintiffs’ counsel submitted “detailed bills” recording the time they spent on the case, however, Judge Mihm approved their reduced request of $739,000 in costs and fees, the order states.
The settlement, for which nearly 6,000 consumers have filed claims, covers anyone in the U.S. who used a payment card to make a purchase at an affected Hy-Vee point-of-sale device during the security incident discussed on this page. The deal provides up to $225 for those who incurred “ordinary expenses” as a result of the breach (e.g., late fees) and up to $5,000 for “extraordinary expenses.”
Hy-Vee has also agreed to implement security upgrades estimated to cost over $20 million.
Though the deadline to submit a claim for the settlement has already passed, any questions regarding the deal can be directed to the settlement administrator through the official settlement website.
January 25, 2021 – Settlement Granted Preliminary Approval
The judge overseeing the case detailed on this page has preliminarily approved a settlement, giving attorneys for the plaintiffs the go-ahead to start sending out notices to consumers.
Under the terms of the settlement, those affected by the July 2019 Hy-Vee data breach will be able to file claims for cash payments of up to $225 for out-of-pocket expenses that occurred as a result of the breach (i.e., overdraft fees, fees charged by the bank for replacement cards, credit monitoring costs, etc.) and documented lost time (i.e., time spent on the phone resolving fraudulent charges, getting new cards, etc.) and up to $5,000 for “extraordinary expenses,” which may include fraudulent charges that were not reimbursed or other unreimbursed expenses that do not fall under the “ordinary expenses” categories.
The settlement will cover anyone in the U.S. who used a payment card to make a purchase at an affected Hy-Vee location during the time of the security incident. Once live, the settlement website will have a list of affected locations and timeframes.
The deadline for filing a claim is June 22, 2021 and the deadline to opt out of the settlement is May 24, 2021.
Class members, or those who fall into the previously defined group, should begin receiving notices with more information and an attached claim form. Alternatively, those affected can also submit claim forms online through the settlement website once it becomes live.
Payments to class members will be issued only after the settlement receives final approval at a hearing scheduled for July 19, 2021.
The Hy-Vee chain of grocery stores and gas stations across the Midwest is the focus of a proposed class action lawsuit filed over a months-long data breach that allegedly exposed the credit and debit card information of millions of consumers. The suit charges that Hy-Vee’s failure to implement adequate data security measures, as well as what the plaintiffs call its apparent “cavalier approach” to safeguarding customer information, is to blame for the incident.
Filed in Illinois district court, the 39-page complaint begins by taking issue with the “Notice of Payment Card Data Incident” posted on defendant Hy-Vee, Inc.’s website. The lawsuit stresses that the initial notice contained very few details about the data breach itself and provided little insight into what actually happened. According to the case, Hy-Vee first posted the notice on August 14, 2019 yet otherwise kept quiet about the incident for two months, reportedly believing it was best to conclude an internal investigation into the data breach before providing affected customers with details.
On October 3, 2019, nearly two months after announcing the breach, Hy-Vee, the lawsuit says, finally shared additional information with consumers. The company reportedly revealed that the breach, which exposed credit and debit card numbers, cardholder names and card expiration dates, affected different parts of its businesses for different lengths of time. According to the case, the window in which Hy-Vee fuel pump customers’ information was exposed lasted from December 14, 2018 to July 29, 2019, and restaurant and coffee shop customers’ data was exposed from January 15 through July 29, 2019. The suit adds that for some Hy-Vee restaurants, the breach began as early as November 9, 2018, with one location’s systems exposed through August 2, 2019.
As the plaintiffs tell it, Hy-Vee’s less-than-fortified approach to data security in the face of myriad large data breaches in recent years contributed substantially to the exposure of customers’ sensitive payment information. According to the case, Hy-Vee’s fuel pumps, drive-thru coffee shops and restaurants did not utilize card encryption technology at the time of the breach.
“Despite the well-publicized and ever-growing threat of security breaches involving payment card networks and systems, and despite the fact that these types of data breaches were and are occurring throughout the restaurant and retail industries, Hy-Vee failed to ensure that it maintained adequate data security measures causing customer Card Information to be stolen,” the complaint states, adding that despite the incident, Hy-Vee’s grocery store checkout lanes, pharmacies and convenience stores reportedly utilized card encryption technology during the time frame of the breach and are believed to not have been affected.
The lawsuit goes on to charge that while Hy-Vee has not confirmed the number of cards compromised in the breach, noted cybersecurity expert Krebs On Security reported that the sensitive information of more than 5.3 million new accounts belonging to cardholders from 35 states was “placed on the dark web for sale to fraudsters.”
Before commenting, please review our comment policy.