A new class-action lawsuit filed against Hy-Vee claims the midwestern chain’s recent data breach was the “inevitable result” of inadequate data security despite growing threats against payment card systems. Chimicles Schwartz Kriner & Donaldson-Smith LLP (CSK&D) alleges that Hy-Vee “failed to take adequate measures to assist affected customers, choosing instead to spread out information about the breach over a series of months and shifting responsibility of dealing with any potential fraud on its investors.”

The complaint is filed in the U.S. District Court for the Central District of Illinois; CSK&D has offices in Pennsylvania and Delaware.

Hy-Vee first announced the company had been affected by a payment data breach on Aug. 14; an investigation later found malware designed to access payment card data at Hy-Vee fuel pumps, drive-thru coffee shops and restaurants, with cards accessed between Nov. 9, 2018 to as late as July 29 of this year. Security researchers later claimed card account records from the Hy-Vee incident may be part of a 5.3 million payment card dump on the dark web; Hy-Vee has not confirmed any ties to the listing.