Data breach lawsuit advances against Hy-Vee

A federal judge has ordered a majority of claims brought against grocery chain Hy-Vee, made under an ongoing class-action lawsuit in connection with a cyber breach that compromised payment card data at numerous locations in eight states, can proceed.

In a Monday order, federal Judge Michael Mihm of the U.S. District Court for the Central District of Illinois rejected six claims in the lawsuit initially filed against the West Des Moines-based grocer in October.

The lawsuit alleges Hy-Vee failed to protect card data at its fuel pump, drive-through coffee shop and restaurant locations; waited seven weeks before sharing more information; and did not offer card monitoring services or fraud insurance.

The dismissed claims against Hy-Vee included counts of negligence, unjust enrichment and breach of third-party contract, plus alleged violations of some state statutes involving consumer fraud and data breach notification.

Hy-Vee said in August it had detected unauthorized activity at some of its payment processing systems, found to date back up to nine months at some locations.

The carding bazaar Joker's Stash reportedly listed Hy-Vee data from more than 5.3 million card accounts in 35 states for sale online, wrote Brian Krebs on his news website Krebs on Security.

A Hy-Vee spokeswoman declined to comment on the new case order, citing pending litigation.

Comments: (319) 398-8366; thomas.friestad@thegazette.com