BALMER, J.
The issue in this case is whether a healthcare provider can be liable in damages when the provider's negligence permitted the theft of its patients' personal information, but the information was never used or viewed by the thief or any other person. Plaintiffs claimed economic and noneconomic damages for financial injury and emotional distress that they allegedly suffered when, through defendant's alleged negligence, computer disks and tapes containing personal information from an estimated 365,000 patients (including plaintiffs) were stolen from the car of one of defendant's employees. The trial court and Court of Appeals held that plaintiffs had failed to state claims for negligence or for
We take the facts from plaintiffs' third amended complaint. When reviewing a trial court order granting a motion to dismiss, we accept as true all well-pleaded facts in the complaint. Bailey v. Lewis Farm, Inc., 343 Or. 276, 278, 171 P.3d 336 (2007). The named plaintiffs were patients of defendant, a nonprofit corporation that provides health care. An employee of defendant left computer disks and tapes containing records of 365,000 patients in a car; the disks and tapes were subsequently stolen on or about December 30-31, 2005. The records included names, addresses, phone numbers, Social Security numbers, and patient care information. Defendant notified all individuals whose information was contained on the disks and tapes and advised them to take precautions to protect themselves against identify theft.
Plaintiffs filed this class action on behalf of themselves and other individuals whose records had been stolen. Plaintiffs asserted common law negligence and negligence per se claims, alleging that defendant's conduct had caused them financial injury in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft.
Defendant filed a motion to dismiss plaintiffs' complaint for failure to state ultimate facts sufficient to constitute a claim for relief. The trial court granted defendant's motion, holding that the damages plaintiffs alleged were not compensable under Lowe v. Philip Morris USA, Inc., 207 Or.App. 532, 142 P.3d 1079 (2006), aff'd, 344 Or. 403, 183 P.3d 181 (2008),
Plaintiffs appealed, and the Court of Appeals affirmed. That court began by analyzing whether plaintiffs had stated a negligence claim for economic damages. To recover damages for purely economic harm, liability "`must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable
The Court of Appeals then turned to plaintiffs' claim for damages for emotional distress. A plaintiff may recover damages for emotional distress, in the absence of physical injury, "where the defendant's conduct infringed on some legally protected interest apart from causing the claimed distress, even when that conduct was only negligent." Hammond v. Central Lane Communications Center, 312 Or. 17, 23, 816 P.2d 593 (1991). As with plaintiffs' claim for economic damages, the Court of Appeals held that plaintiffs had failed to identify a special relationship between the parties that could give rise to a duty of care to avoid emotional harm to plaintiffs. Paul, 237 Or. App. at 597, 240 P.3d 1110. The court distinguished those cases where a plaintiff recovered emotional distress damages in the absence of a special relationship, because those cases involved an "affirmative" breach of a duty of confidentiality. In the absence of an affirmative breach or a special relationship, the court held that plaintiffs had not stated a claim for emotional distress. Id. at 600, 240 P.3d 1110.
Regarding plaintiffs' claim under the UTPA, the Court of Appeals held that the only financial harm identified by plaintiffs in their complaint—the out-of-pocket expenses incurred to prevent identity theft—was not an "ascertainable loss" under the UTPA. Id. at 604, 240 P.3d 1110. That was so because the money that plaintiffs had spent was "to prevent a potential loss" (e.g., financial injury caused by future identity theft) that "might result from the misrepresentations," but was not itself an ascertainable loss caused by defendant. Id. (emphasis in original).
We begin with plaintiffs' claim for common law negligence. As we recently stated in Lowe, "Not all negligently inflicted harms give rise to a negligence claim." 344 Or. at 410, 183 P.3d 181. Rather, to recover in negligence, a plaintiff must suffer harm "to an interest of a kind that the law protects against negligent invasion." Solberg v. Johnson, 306 Or. 484, 490, 760 P.2d 867 (1988). Plaintiffs, in their third amended complaint, describe their injury as follows:
(Emphasis added.) Thus, plaintiffs allege that defendant's negligence created the risk of future identify theft, and they seek economic damages for the past and future expense of credit monitoring services and related expenditures made to address the risk of identity theft. They also allege that the increased risk of future identify theft has caused them present and future emotional distress, and they seek damages for that noneconomic injury. Although plaintiffs allege that an unknown person stole digital records containing plaintiffs' information
Under the economic loss doctrine, "[O]ne ordinarily is not liable for negligently causing a stranger's purely economic loss without injuring his person or property." Hale v. Groce, 304 Or. 281, 284, 744 P.2d 1289 (1987).
Plaintiffs argue that they are patients of defendant, a health care provider, and that that relationship imposes on defendant a duty to protect them against economic loss. They also point to state and federal statutes that require health care providers to protect patient information and assert that those statutes impose a duty or standard of care on defendant that provides a basis for plaintiffs to seek economic damages in a negligence action. Defendants respond that neither the nature of the relationship between plaintiffs and defendant nor the statutes that plaintiffs cite establish the heightened duty of care that would provide a basis for a negligence action to recover economic damages for defendant's failure to protect plaintiffs' personal information. As noted, the Court of Appeals agreed with defendant. See Paul, 237 Or.App. at 592-93, 240 P.3d 1110.
We need not resolve the dispute between the parties as to whether common law tort principles or statutes concerning the protection of patient information provide a basis for plaintiffs' claims for economic damages. Assuming, without deciding, that defendant owed a duty to protect plaintiffs against economic losses, we nevertheless conclude, for the reasons that follow, that plaintiffs' allegations here are insufficient because plaintiffs do not allege actual, present injury caused by defendant's conduct.
To the extent that plaintiffs seek damages for future harm to their credit or financial well-being, Lowe forecloses such a claim because "`the threat of future harm, by itself, is insufficient as an allegation of damage in the context of a negligence claim,'" 344 Or. at 410, 183 P.3d 181 (quoting Zehr v. Haugen, 318 Or. 647, 656, 871 P.2d 1006 (1994)). Plaintiffs argue, however, that they should be able to recover as economic damages the past and present expenses (such as the cost of credit monitoring) that they have incurred to protect themselves from the risk of future economic harm. Defendant and amici respond that, in Lowe, this court stated that it was unwilling to "overul[e] Oregon's well-established negligence requirements" to require a defendant whose conduct increased
As this court stated in Lowe, "the fact that a defendant's negligence poses a threat of future physical harm is not sufficient, standing alone, to constitute an actionable injury." 344 Or. at 410, 183 P.3d 181. We then quoted Prosser and Keeton's comment that, as the law of negligence developed, "`it retained the rule that proof of damage was an essential part of the plaintiff's case'" and that "`[n]ominal damages, to vindicate a technical right, cannot be recovered in a negligence action, where no actual loss has occurred.'" Id. (quoting W. Page Keeton, Prosser and Keeton on the Law of Torts § 30, 165 (5th ed 1984)). In Lowe, we applied that rule in rejecting a claim for medical monitoring expenses when the plaintiff had suffered no present physical harm.
Although plaintiffs are correct that this case is factually distinguishable from Lowe because of the relationship between plaintiffs and defendant here, they are incorrect in arguing that Lowe stands for the proposition that, had there been such a relationship in that case, this court would have permitted recovery for monitoring expenses, notwithstanding the absence of some present harm to plaintiffs. As we said in Lowe, "Under Oregon Steel Mills and a long line of this court's cases, the present economic harm that defendants' actions allegedly have caused—the cost of medical monitoring—is not sufficient to give rise to a negligence claim." 344 Or. at 414, 183 P.3d 181. That rule applies whether or not there is a "relationship" between the plaintiff and the defendant. If there is no relationship between the parties—or other source of a duty on the part of the defendant to protect the plaintiff against economic loss—a plaintiff cannot recover economic losses caused by the defendant's negligence. Onita, 315 Or. at 159, 843 P.2d 890. But even if such a duty has been alleged, Lowe indicates that the cost of monitoring to protect against an increased risk of harm—in the absence of present injury—is not recoverable in a negligence action. Lowe's citation of Oregon Steel Mills in the sentence quoted above supports defendant's position that monitoring expenses to mitigate possible future harm are not recoverable, even when there is a relationship between the parties that might provide a basis for recovering actual economic damages caused by a present injury. It follows, in our view, that the cost of credit monitoring that results, not from any "present economic harm" (to borrow the phrase from Lowe) to plaintiffs, but rather from the risk of possible future harm, also is insufficient to state a negligence claim.
That conclusion is similar to those reached by other courts that have considered claims for credit monitoring damages in the absence of present identity theft or other harm. In Pisciotta v. Old Nat. Bancorp, 499 F.3d 629 (7th Cir.2007), the court rejected negligence claims for credit monitoring by a bank's customers whose personal information had been accessed by a computer "hacker." The court noted that Indiana cases had rejected medical monitoring damages based on "exposure to a future potential harm" and had required instead "an actual exposure-related illness or disease." 499 F.3d at 639. It concluded that a similar distinction between "exposure" to future harm and actual harm should apply in the credit monitoring context. The court also observed that even states that had allowed damages in medical monitoring negligence cases "have expressed doubt that credit monitoring also should be compensable." Id. at 638 n. 10. Every court that has addressed damage claims for credit monitoring following the theft of computer records containing personal information—but no wrongful use of that information—has reached a similar conclusion. See Reilly v. Ceridian Corp., 664 F.3d 38, 46 (3d Cir.2011) (increased risk of identity theft did not establish injury-in-fact for purposes of seeking credit monitoring expenses or other relief); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn.2006) (credit monitoring expenses are "not the result of any present injury, but rather anticipation of future injury that has not yet materialized"); Ruiz v. Gap, Inc., 622 F.Supp.2d 908, 918
In contrast to those cases are several decisions that have allowed at least some damage claims when stolen personal information actually has been used to perpetrate identify theft, causing individuals present financial injury. Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir.2011), is illustrative. There, the First Circuit, applying Maine law, permitted certain claims by credit card holders against the defendant, a processor of credit card payments whose system had been hacked by third parties. The court distinguished the cases cited above (and many similar decisions) because those cases—like plaintiffs' case here—alleged no actual use of any of the plaintiffs' personal information:
659 F.3d at 164.
Here, plaintiffs have alleged no actual identity theft or financial harm, other than credit monitoring and similar mitigation costs. Plaintiffs have not offered a cogent basis "for overruling Oregon's well-established negligence requirements," Lowe, 344 Or. at 415, 183 P.3d 181, which require the allegation of such present injury. We therefore reach the same conclusion with respect to credit monitoring, when there has been no present injury to credit or financial interest, as we did in Lowe regarding medical monitoring when there was no present injury: "[N]egligent conduct that results only in a significantly increased risk of future injury that requires * * * monitoring does not give rise to a claim for negligence." Id. at 415, 183 P.3d 181.
Plaintiffs also seek damages for what they describe as "worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft." This court consistently has rejected claims for emotional distress damages caused by a defendant's negligence, in the absence of any physical injury. Hammond, 312 Or. at 23-24, 816 P.2d 593. We have, however, allowed claims for emotional distress damages in three situations, as summarized in Hammond: (1) "where the defendant intended to inflict severe emotional distress," id. at 22, 816 P.2d 593; (2) "where the defendant intended to do the painful act with knowledge that it will cause grave distress, when the defendant's position in relation to the plaintiff involves some responsibility aside from the tort itself," id.; and (3) "where the defendant's conduct infringed on some legally protected interest apart from causing the claimed distress, even when that conduct was only negligent," id. at 23, 816 P.2d 593. Here, it is undisputed that defendant did not intend to inflict distress on plaintiffs or to have its property stolen. Plaintiffs therefore argue that defendant's negligence infringed a "legally protected interest" of plaintiffs. We turn to that issue.
Plaintiffs identify several sources of their claimed "legally protected interest." They note that the physician-patient relationship gives rise to a duty by the physician to keep the patient's medical records confidential. See Humphers v. First Interstate Bank, 298 Or. 706, 720, 696 P.2d 527 (1985) (identifying such a right).
Defendant responds that, even in the context of a physician-patient relationship, a physician does not have a general duty to guard against emotional harm. See Curtis v. MRI Imaging Services II, 327 Or. 9, 15-16, 956 P.2d 960 (1998) (so holding). Only if the physician is subject to a specific standard of care "to guard against recognized medical risks that happen to be psychological in nature," may that physician be liable for emotional distress in a negligence action. Id. at 15, 956 P.2d 960 (emphasis omitted); see also Rathgeber v. James Hemenway, Inc., 335 Or. 404, 418, 69 P.3d 710 (2003) ("It is always foreseeable that some emotional harm might result from the negligent performance of * * * professional services * * *. That possibility, however, cannot give rise to emotional distress damages unless a standard of care that includes the duty to protect a client from emotional harm governs the professional's conduct."). Defendant argues that the Court of Appeals in this case correctly held that Oregon cases do not support plaintiffs' assertion that their relationship with defendant gave rise to a duty on the part of defendant to protect them against the risk of emotional distress that might arise if their personal information was stolen as a result of defendant's negligence. See Paul, 237 Or. App. at 600, 240 P.3d 1110 (in absence of "affirmative" breach of duty of confidentiality or special relationship imposing on defendant a duty to protect plaintiffs from emotional distress, plaintiffs failed to state a negligence claim for emotional distress damages).
For reasons similar to those discussed above with respect to plaintiffs' claim for economic damages, we need not, in this case, decide whether a health care provider can be liable in negligence for the emotional distress damages of its patients that may result from the misuse of their personal information. Assuming, without deciding, that defendant does owe a duty to plaintiffs to protect them from such harm—under Oregon tort cases or derived from the health care information statutes that the parties cite—we conclude that plaintiffs' allegations of injury here are insufficient to state a claim for emotional distress damages. As we have already observed, plaintiffs' alleged emotional distress is premised entirely on the risk of future identity theft, and not on any actual identity theft or present financial harm. No case from Oregon—or, as far as we can tell, any other jurisdiction—supports the claim that plaintiffs make here.
As noted, plaintiffs allege that, because of defendant's negligence, computer disks and tapes containing their confidential information were stolen. Plaintiffs further allege that they suffered "worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft." Although plaintiffs argue that they suffered present, and not merely future distress, the complaint makes clear that the present distress is based not on any present harm to their credit or financial well-being, but solely on their apprehension of an increased risk of some future harm. In that respect, the claimed harm is similar to the out-of-pocket expenses that plaintiffs claimed as economic damages and that we rejected above.
The differences between the damages alleged here and the damages alleged in other negligence cases where we have recognized emotional distress claims make the point. In Nearing v. Weaver, 295 Or. 702, 707, 670 P.2d 137 (1983), for example, the plaintiff suffered emotional distress after she was confronted by her husband multiple times, in violation of a restraining order. The plaintiff had notified the police after the first violation, and the police were required by law to arrest the husband at that time, but they had failed to do so. We held that the law requiring arrest established a legal right independent of the ordinary tort elements of a negligence action and that the plaintiff could recover in negligence for emotional distress caused by defendant's violation of that right. Id. at 708-09, 670 P.2d 137. In contrast to this case, however, the plaintiff in Nearing had, in fact, been confronted by
Here, as discussed in detail above, plaintiffs do not allege—and nothing in the record suggests—that any third party ever viewed any of the personal information stolen from defendant or that any of the information was ever used for identity theft purposes or in any other manner.
We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff's personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm. Courts that have considered such claims have uniformly rejected them. See, e.g., Reilly, 664 F.3d at 45 (claim for emotional distress from increased risk of identity theft was not injury-in-fact); Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046, 1055 (E.D.Mo.2009) (no recovery for damages for emotional distress caused by increased risk of future identity theft when defendant's negligence resulted in theft of patient records); Pinero v. Jackson Hewitt Tax Service., Inc., 594 F.Supp.2d 710, 716 (E.D.La.2009) (damages for fear of loss from future identify theft not recoverable); Randolph v. ING Life Ins. and Annuity Co., 973 A.2d 702, 708 (D.C.2009) (no damages recoverable for fear of identity theft).
Plaintiffs' arguments here are grounded in plausible concerns over the potential for identity theft that exists whenever personal information is stolen. State and federal statutes impose requirements that seek to address those risks, and enforcement actions under those statutes—like the enforcement action taken against defendant by the Attorney General—can help ensure compliance by those subject to such laws. However, as with plaintiffs' claim for economic damages, Oregon law does not provide a private right of action for emotional distress damages when those damages are based only on the risk of some future harm. For those reasons, we conclude that plaintiffs have
Plaintiffs also allege that defendant violated the UTPA, ORS 646.605 to 646.652. That statute allows a person to seek damages and equitable relief if the person has suffered "any ascertainable loss of money or property * * * as a result of willful use or employment by another person of a method, act or practice declared unlawful by ORS 646.608." ORS 646.638(1) (2005).
The Court of Appeals denied plaintiffs' claim because plaintiffs did not allege an "ascertainable loss of money or property," as required to recover under the UTPA:
Paul, 237 Or.App. at 603-04, 240 P.3d 1110 (emphasis in original).
As our earlier discussion of plaintiffs' negligence claim indicates, the Court of Appeals correctly characterized plaintiffs' "loss" as money that they expended to prevent or mitigate the possible future use or disclosure of their confidential information by a third party. That expenditure of money is not the kind of loss compensable under the UTPA, because the expenditure is not based on any present harm to plaintiffs' economic interests. There is no indication that the UTPA was intended to protect against such speculative losses as the risk of identity theft, and plaintiffs have presented no argument that would support such an interpretation. Accordingly, plaintiffs have not stated a claim under the UTPA for the "loss" they incurred to prevent a future harm.
The decision of the Court of Appeals and the judgment of the circuit court are affirmed.