Hy-Vee Faces 2nd Lawsuit Over Data Breach

Bridget Goldschmidt
Managing Editor
Bridget Headshot
Hy-Vee Data Breach Leads to 2nd Lawsuit
The payment processing systems at some of Hy-Vee's gas stations were affected by a recent data breach, which has now resulted in two lawsuits

A data breach at Hy-Vee Inc. has led Kansas City resident Gordon Grewing to file a lawsuit seeking class-action status against the grocer, alleging that it acted too slowly after the breach was discovered and didn’t provide assistance to the millions of affected customers, according to a published report.

This is the second lawsuit to be filed in connection with the breach. In October, Pennsylvania law firm Chimicles Schwartz Kriner & Donaldson-Smith (CSK&D) filed a class action complaint in the U.S. District Court for the Central District of Illinois against the grocer. 

The breach occurred in Hy-Vee's payment processing systems at some of its fuel pumps, drive-through coffee shops and restaurants from November 2018 to August 2019, compromising the financial information of customers. The company has subsequently issued an update detailing its implementation of enhanced cybersecurity measures.

Grewing noted in his suit that he shopped at a Hy-Vee in Kansas City, using his CommunityAmerica Credit Union debit card at the gas pumps and Hy-Vee Market Grille, the Kansas City Business Journal reported. In July of this year, he began noticing fraudulent charges on the card, so he canceled it, received a new one and then used the replacement card to buy gas from Hy-Vee in July and August, compromising that card, too. In September, Grewing purchased a TransUnion Credit Monitoring Plan for a monthly fee of $9.95.

On Oct. 31, Grewing received a letter from Hy-Vee informing him that his debit card had been affected by the breach, but offering no financial assistance to resolve the matter.

On Nov. 12, CommunityAmerica notified Grewing that someone had tried to use his card twice to spend $517.08 on Airbnb.com in San Fransisco. The credit union denied the charges. Grewing had to cancel his card again and get another replacement. On Nov. 18, he filed suit in the U.S. District Court for the Western District of Missouri.

Grewing’s suit accuses Hy-Vee of negligence, breach of implied contract, violations of the Missouri Merchandising Practices Act and unjust enrichment. It contends that the grocer waited two months to tell customers that their data was affected, placing them in greater danger, and then offered no assistance to help them deal with the issues.

“Hy-Vee knew or should have known that it had inadequate computer systems and data security practices to safeguard such information, and Hy-Vee knew or should have known that hackers would attempt or were attempting to access the personal financial information in databases such as Hy-Vee’s,” the lawsuit notes. “Hy-Vee breached the duties it owed to plaintiff and members of the class by failing to exercise reasonable care and implement adequate security systems, protocols and practices sufficient to protect the medical, financial, and personal information of plaintiff and members of the class, as identified above.”

The plaintiffs seek damages, restitution, interest and attorney fees.

Meanwhile, on Nov. 25, CSK&D, which filed the first data breach suit against Hy-Vee, filed an amended class action complaint, in which Grewing is not one of the named plaintiffs.

“According to the amended complaint,” the law firm explained on its website,” some of Hy-Vee’s gas pump, coffee shop and restaurant locations lacked industry standard encryption systems as opposed to the payment card systems utilized within its grocery store, pharmacy and convenience store locations. The data breach was an inevitable result of the company’s cavalier approach to data security amid widespread publicity about other recent data security attacks. Even though the company had disclosed its knowledge of the breach initially in August 2019, the company only reported the full extent of the breach’s [effects] in early October 2019. By then, the payment information of those affected by the breach has already been floating around the dark web for nearly two months.” 

Hy-Vee has declined to comment on either case, as is its policy in regard to pending litigation.

Employee-owned Hy-Vee operates more than 260 retail stores across eight Midwestern states.The West Des Moines, Iowa-based company is No. 12 on Progressive Grocer’s 2019 Super 50 list of the top grocers in the United States.

This ad will auto-close in 10 seconds