Paul v. Providence Health System-Oregon

Annotate this Case
Justia Opinion Summary

The issue in this case was whether a healthcare provider could be held liable for damages when the provider's negligence permitted the theft of its patients' personal information, though the information was never used or viewed by the thief or any other person. Plaintiffs Laurie Paul and Russell Gibson (individually and on behalf of all similarly-situated individuals) claimed economic and noneconomic damages for financial injury and emotional distress that they allegedly suffered when, through Defendant Providence Health System-Oregon's alleged negligence, computer disks and tapes containing personal information from an estimated 365,000 patients (including Plaintiffs') were stolen from the car of one of Defendant’s employees. The trial court and Court of Appeals held that Plaintiffs had failed to state claims for negligence or for violation of the Unlawful Trade Practices Act (UTPA). Upon review, the Supreme Court concluded that, in the absence of allegations that the stolen information was used in any way or even was viewed by a third party, Plaintiffs did not suffer an injury that would provide a basis for a negligence claim or an action under the UTPA.

Download PDF
Filed: February 24, 2012 IN THE SUPREME COURT OF THE STATE OF OREGON LAURIE PAUL, Plaintiff, and RUSSELL GIBSON and WILLIAM WEILLER, DDS, individually and on behalf of all similarly-situated individuals, Petitioners on Review, v. PROVIDENCE HEALTH SYSTEM-OREGON, an Oregon corporation, Respondent on Review. (CC 060101059; CA A137930; SC S059131) On review from the Court of Appeals.* Argued and submitted on September 21, 2011. Maureen Leonard, Portland, argued the cause and filed the brief for petitioners on review. Gregory A. Chaimov, Davis Wright Tremaine LLP, Portland, argued the cause and filed the brief for respondent on review. With him on the brief was John F. McGrory. Before De Muniz, Chief Justice, and Durham, Balmer, Walters, Linder, and Landau, Justices.** BALMER, J. The decision of the Court of Appeals and the judgment of the circuit court are affirmed. *Appeal from Multnomah County Circuit Court. Marilyn E. Litzenberger, Judge. 237 Or App 584, 240 P3d 1110 (2010). **Kistler, J., did not participate in the consideration or decision of this case. 1 BALMER, J. 2 The issue in this case is whether a healthcare provider can be liable in 3 damages when the provider's negligence permitted the theft of its patients' personal 4 information, but the information was never used or viewed by the thief or any other 5 person. Plaintiffs claimed economic and noneconomic damages for financial injury and 6 emotional distress that they allegedly suffered when, through defendant's alleged 7 negligence, computer disks and tapes containing personal information from an estimated 8 365,000 patients (including plaintiffs) were stolen from the car of one of defendant's 9 employees. The trial court and Court of Appeals held that plaintiffs had failed to state 10 claims for negligence or for violation of the Unlawful Trade Practices Act (UTPA), ORS 11 646.605 to 646.652. Paul v. Providence Health System-Oregon, 237 Or App 584, 240 12 P3d 1110 (2010). We conclude that, in the absence of allegations that the stolen 13 information was used in any way or even was viewed by a third party, plaintiffs have not 14 suffered an injury that would provide a basis for a negligence claim or an action under the 15 UTPA. We therefore affirm, although our analysis differs in some respects from that of 16 the Court of Appeals. 17 18 I. BACKGROUND AND PROCEEDINGS BELOW We take the facts from plaintiffs' third amended complaint. When 19 reviewing a trial court order granting a motion to dismiss, we accept as true all well- 20 pleaded facts in the complaint. Bailey v. Lewis Farm, Inc., 343 Or 276, 278, 171 P3d 336 21 (2007). The named plaintiffs were patients of defendant, a nonprofit corporation that 22 provides health care. An employee of defendant left computer disks and tapes containing 1 1 records of 365,000 patients in a car; the disks and tapes were subsequently stolen on or 2 about December 30-31, 2005. The records included names, addresses, phone numbers, 3 Social Security numbers, and patient care information. Defendant notified all individuals 4 whose information was contained on the disks and tapes and advised them to take 5 precautions to protect themselves against identify theft.1 6 Plaintiffs filed this class action on behalf of themselves and other 7 individuals whose records had been stolen. Plaintiffs asserted common law negligence 8 and negligence per se claims, alleging that defendant's conduct had caused them financial 9 injury in the form of past and future costs of credit monitoring, maintaining fraud alerts, 10 and notifying various government agencies regarding the theft, as well as possible future 11 costs related to identity theft.2 Plaintiffs also alleged that they suffered noneconomic 12 damages for the emotional distress caused by the theft of the records and attendant worry 13 over possible identity theft. Plaintiffs did not allege any intentional conduct by 14 defendant. Nor did plaintiffs allege that any unauthorized person ever had accessed any 1 In 2006, defendant entered into an agreement with the Attorney General under the UTPA pursuant to which defendant agreed to contract with a credit monitoring company to provide two years of credit monitoring and restoration services to any patient who requested it, to reimburse any patient for any financial loss resulting from the misuse of credit or identity theft, and to establish a website and toll-free call center to assist patients with questions related to the theft. Under the agreement, defendant also paid the Attorney General more than $95,000. Defendant estimated the cost of the credit monitoring and other services that it agreed to provide at approximately $7 million. 2 Plaintiffs did not allege that the theft of the records was a "property loss" to them. 2 1 of the information contained on the disks and tapes, or that any plaintiff had suffered any 2 actual financial loss, credit impairment, or identity theft. In addition to their negligence 3 claims, plaintiffs alleged that defendant had violated the UTPA by representing that 4 patient data would be kept confidential when defendant knew that such data was 5 inadequately safeguarded. 6 Defendant filed a motion to dismiss plaintiffs' complaint for failure to state 7 ultimate facts sufficient to constitute a claim for relief. The trial court granted 8 defendant's motion, holding that the damages plaintiffs alleged were not compensable 9 under Lowe v. Philip Morris USA, Inc., 207 Or App 532, 142 P3d 1079 (2006), aff'd, 344 10 Or 403, 183 P3d 181 (2008),3 because plaintiffs' claimed damages -- although reflecting, 11 in part, expenses that plaintiffs actually had incurred -- were premised on the risk of 12 future injury, rather than actual present harm. 13 Plaintiffs appealed, and the Court of Appeals affirmed. That court began 14 by analyzing whether plaintiffs had stated a negligence claim for economic damages. To 15 recover damages for purely economic harm, liability "'must be predicated on some duty 16 of the negligent actor to the injured party beyond the common law duty to exercise 17 reasonable care to prevent foreseeable harm.'" Oregon Steel Mills, Inc. v. Coopers & 18 Lybrand, LLP, 336 Or 329, 341, 83 P3d 322 (2004) (quoting Onita Pacific Corp. v. 3 The trial court based its order granting defendant's motion and dismissing plaintiffs' complaint on the Court of Appeals decision in Lowe. We subsequently affirmed Lowe. 3 1 Trustees of Bronson, 315 Or 149, 159, 843 P2d 890 (1992)). The Court of Appeals held 2 that plaintiffs had failed to identify a "heightened duty of care to protect against 3 economic harm arising out of the relationship between themselves as patients and 4 defendant as a health care provider." Paul, 237 Or App at 592. The court rejected 5 plaintiffs' argument that state and federal statutes protecting the confidentiality of medical 6 records established an independent standard of care that defendant had violated, 7 reasoning that those statutes did not create a special relationship between the parties that 8 would give rise to a heightened duty owed to plaintiffs. Id. at 593. Because plaintiffs 9 failed to identify a special relationship between the parties, the court concluded that 10 plaintiffs could not, under this court's opinion in Lowe, recover for the expenses of 11 monitoring a future potential harm. Id. 12 The Court of Appeals then turned to plaintiffs' claim for damages for 13 emotional distress. A plaintiff may recover damages for emotional distress, in the 14 absence of physical injury, "where the defendant's conduct infringed on some legally 15 protected interest apart from causing the claimed distress, even when that conduct was 16 only negligent." Hammond v. Central Lane Communications Center, 312 Or 17, 23, 816 17 P2d 593 (1991). As with plaintiffs' claim for economic damages, the Court of Appeals 18 held that plaintiffs had failed to identify a special relationship between the parties that 19 could give rise to a duty of care to avoid emotional harm to plaintiffs. Paul, 237 Or App 20 at 597. The court distinguished those cases where a plaintiff recovered emotional distress 21 damages in the absence of a special relationship, because those cases involved an 22 "affirmative" breach of a duty of confidentiality. In the absence of an affirmative breach 4 1 or a special relationship, the court held that plaintiffs had not stated a claim for emotional 2 distress. Id. at 600. 3 Regarding plaintiffs' claim under the UTPA, the Court of Appeals held that 4 the only financial harm identified by plaintiffs in their complaint -- the out-of-pocket 5 expenses incurred to prevent identity theft -- was not an "ascertainable loss" under the 6 UTPA. Id. at 604. That was so because the money that plaintiffs had spent was "to 7 prevent a potential loss" (e.g., financial injury caused by future identity theft) that "might 8 result from the misrepresentations," but was not itself an ascertainable loss caused by 9 defendant. Id. (emphasis in original). 10 11 II. PLAINTIFFS' NEGLIGENCE CLAIMS We begin with plaintiffs' claim for common law negligence. As we 12 recently stated in Lowe, "Not all negligently inflicted harms give rise to a negligence 13 claim." 344 Or at 410. Rather, to recover in negligence, a plaintiff must suffer harm "to 14 an interest of a kind that the law protects against negligent invasion." Solberg v. 15 Johnson, 306 Or 484, 490, 760 P3d 867 (1988). Plaintiffs, in their third amended 16 complaint, describe their injury as follows: 17 18 19 20 21 22 23 24 "Plaintiffs and class members suffered economic damages in the form of past out-of-pocket expenses for credit monitoring services, credit injury, long distance and time loss from employment to address these issues. * * * In addition, plaintiffs and class members have suffered non-economic damages in the past and will do so in the future in the form of impairment of access to credit inherent in placing and maintaining fraud alerts, as well as worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft * * *." 25 (Emphasis added.) Thus, plaintiffs allege that defendant's negligence created the risk of 5 1 future identify theft, and they seek economic damages for the past and future expense of 2 credit monitoring services and related expenditures made to address the risk of identity 3 theft. They also allege that the increased risk of future identify theft has caused them 4 present and future emotional distress, and they seek damages for that noneconomic 5 injury. Although plaintiffs allege that an unknown person stole digital records containing 6 plaintiffs' information from defendant's employee's car, they do not allege that the thief or 7 any third person actually used plaintiffs' information in any way that caused financial 8 harm or emotional distress to them.4 They allege no actual "identity theft," as that term is 9 used in Oregon statutes,5 nor do they allege that defendant's actions caused them actual 10 financial injury, apart from the expenses that they incurred in the form of credit 11 monitoring that they initiated. 12 A. Damages for Economic Loss 13 14 Under the economic loss doctrine, "[O]ne ordinarily is not liable for negligently causing a stranger's purely economic loss without injuring his person or 4 Indeed, plaintiffs do not allege that the person who stole the records or any third person even viewed their personal information. The information was stored in digital form on disks and computer tapes, and specialized equipment is required to view or use the information. 5 A person commits the crime of "identity theft" if the person, "with the intent to deceive or to defraud, obtains, possesses, transfers, creates, utters or converts to the persons own use the personal identification of another person." ORS 165.800(1). Plaintiffs do not allege that the person who stole the information did so with the required "intent." 6 1 property." Hale v. Groce, 304 Or 281, 284, 744 P2d 1289 (1987).6 Damages for purely 2 economic losses, however, are available when a defendant has a duty to guard against the 3 economic loss that occurred. Onita, 315 Or at 159. A duty to protect against economic 4 loss can arise "from a defendant's particular status or relationships, or from legislation, 5 beyond the generalized standards that the common law of negligence imposes on persons 6 at large." Fazzolari v. Portland School Dist. No. 1J, 303 Or 1, 10, 734 P2d 1326 (1987). 7 Plaintiffs argue that they are patients of defendant, a health care provider, 8 and that that relationship imposes on defendant a duty to protect them against economic 9 loss. They also point to state and federal statutes that require health care providers to 10 protect patient information and assert that those statutes impose a duty or standard of care 11 on defendant that provides a basis for plaintiffs to seek economic damages in a 12 negligence action. Defendants respond that neither the nature of the relationship between 13 plaintiffs and defendant nor the statutes that plaintiffs cite establish the heightened duty 14 of care that would provide a basis for a negligence action to recover economic damages 15 for defendant's failure to protect plaintiffs' personal information. As noted, the Court of 16 Appeals agreed with defendant. See Paul, 237 Or App at 592-93. 17 We need not resolve the dispute between the parties as to whether common 6 As noted, plaintiffs did not allege that the theft of defendant's disks and tapes containing plaintiffs' information was a loss of plaintiffs' property. Accordingly, we have no occasion to consider whether, under Oregon law, such an allegation would state a claim for relief. See Ruiz v. GAP, Inc., 540 F Supp 2d 1121, 1127 (ND Cal 2008), aff'd, 380 Fed Appx 689 (9th Cir 2010) (rejecting claim that theft of defendant's laptop, containing plaintiff's personal information, constituted loss of plaintiff's "property"). 7 1 law tort principles or statutes concerning the protection of patient information provide a 2 basis for plaintiffs' claims for economic damages. Assuming, without deciding, that 3 defendant owed a duty to protect plaintiffs against economic losses, we nevertheless 4 conclude, for the reasons that follow, that plaintiffs' allegations here are insufficient 5 because plaintiffs do not allege actual, present injury caused by defendant's conduct. 6 To the extent that plaintiffs seek damages for future harm to their credit or 7 financial well-being, Lowe forecloses such a claim because "'the threat of future harm, by 8 itself, is insufficient as an allegation of damage in the context of a negligence claim,'" 344 9 Or at 410 (quoting Zehr v. Haugen, 318 Or 647, 656, 871 P2d 1006 (1994)). Plaintiffs 10 argue, however, that they should be able to recover as economic damages the past and 11 present expenses (such as the cost of credit monitoring) that they have incurred to protect 12 themselves from the risk of future economic harm. Defendant and amici respond that, in 13 Lowe, this court stated that it was unwilling to "overul[e] Oregon's well-established 14 negligence requirements" to require a defendant whose conduct increased the plaintiffs' 15 risk of cancer to pay for medical monitoring, 344 Or at 414-15, and argue that to require 16 defendant here to pay for credit monitoring because of the increased risk of a purely 17 economic future harm would require an even greater departure from existing case law. 18 We agree. 19 As this court stated in Lowe, "the fact that a defendant's negligence poses a 20 threat of future physical harm is not sufficient, standing alone, to constitute an actionable 21 injury." 344 Or at 410. We then quoted Prosser and Keeton's comment that, as the law 22 of negligence developed, "'it retained the rule that proof of damage was an essential part 8 1 of the plaintiff's case"' and that "'[n]ominal damages, to vindicate a technical right, cannot 2 be recovered in a negligence action, where no actual loss has occurred.'" Id. (quoting W. 3 Page Keeton, Prosser and Keeton on the Law of Torts § 30, 165 (5th ed 1984)). In Lowe, 4 we applied that rule in rejecting a claim for medical monitoring expenses when the 5 plaintiff had suffered no present physical harm. 6 Although plaintiffs are correct that this case is factually distinguishable 7 from Lowe because of the relationship between plaintiffs and defendant here, they are 8 incorrect in arguing that Lowe stands for the proposition that, had there been such a 9 relationship in that case, this court would have permitted recovery for monitoring 10 expenses, notwithstanding the absence of some present harm to plaintiffs. As we said in 11 Lowe, "Under Oregon Steel Mills and a long line of this court's cases, the present 12 economic harm that defendants' actions allegedly have caused -- the cost of medical 13 monitoring -- is not sufficient to give rise to a negligence claim." 344 Or at 414. That 14 rule applies whether or not there is a "relationship" between the plaintiff and the 15 defendant. If there is no relationship between the parties -- or other source of a duty on 16 the part of the defendant to protect the plaintiff against economic loss -- a plaintiff cannot 17 recover economic losses caused by the defendant's negligence. Onita, 315 Or at 159. 18 But even if such a duty has been alleged, Lowe indicates that the cost of monitoring to 19 protect against an increased risk of harm -- in the absence of present injury -- is not 20 recoverable in a negligence action. Lowe's citation of Oregon Steel Mills in the sentence 21 quoted above supports defendant's position that monitoring expenses to mitigate possible 22 future harm are not recoverable, even when there is a relationship between the parties that 9 1 might provide a basis for recovering actual economic damages caused by a present injury. 2 It follows, in our view, that the cost of credit monitoring that results, not from any 3 "present economic harm" (to borrow the phrase from Lowe) to plaintiffs, but rather from 4 the risk of possible future harm, also is insufficient to state a negligence claim. 5 That conclusion is similar to those reached by other courts that have 6 considered claims for credit monitoring damages in the absence of present identity theft 7 or other harm. In Pisciotta v. Old Nat. Bancorp, 499 F3d 629 (7th Cir 2007), the court 8 rejected negligence claims for credit monitoring by a bank's customers whose personal 9 information had been accessed by a computer "hacker." The court noted that Indiana 10 cases had rejected medical monitoring damages based on "exposure to a future potential 11 harm" and had required instead "an actual exposure-related illness or disease." 499 F3d 12 at 639. It concluded that a similar distinction between "exposure" to future harm and 13 actual harm should apply in the credit monitoring context. The court also observed that 14 even states that had allowed damages in medical monitoring negligence cases "have 15 expressed doubt that credit monitoring also should be compensable." Id. at 638 n 10. 16 Every court that has addressed damage claims for credit monitoring following the theft of 17 computer records containing personal information -- but no wrongful use of that 18 information -- has reached a similar conclusion. See Reilly v. Ceridian Corp., 664 F3d 19 38, 46 (3d Cir 2011) (increased risk of identity theft did not establish injury-in-fact for 20 purposes of seeking credit monitoring expenses or other relief); Forbes v. Wells Fargo 21 Bank, N.A., 420 F Supp 2d 1018, 1021 (D Minn 2006) (credit monitoring expenses are 22 "not the result of any present injury, but rather anticipation of future injury that has not 10 1 yet materialized"); Ruiz v. Gap, Inc., 622 F Supp 2d 908, 918 (ND Cal 2009), aff'd, 380 2 Fed Appx 689 (9th Cir 2010) (no claim for credit monitoring expenses because plaintiff 3 "has no actual damages to mitigate since he has never been a victim of identity theft"); 4 Randolph v. ING Life Ins. and Annuity Co., 486 F Supp 2d 1, 8 (DDC 2007) (same). 5 In contrast to those cases are several decisions that have allowed at least 6 some damage claims when stolen personal information actually has been used to 7 perpetrate identify theft, causing individuals present financial injury. Anderson v. 8 Hannaford Bros. Co., 659 F3d 151 (1st Cir 2011), is illustrative. There, the First Circuit, 9 applying Maine law, permitted certain claims by credit card holders against the 10 defendant, a processor of credit card payments whose system had been hacked by third 11 parties. The court distinguished the cases cited above (and many similar decisions) 12 because those cases -- like plaintiffs' case here -- alleged no actual use of any of the 13 plaintiffs' personal information: 14 15 16 17 18 19 20 21 22 23 "Unlike the cases cited by [the defendant], this case does not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties. Here, there was actual misuse, and it was apparently global in reach. The thieves appeared to have expertise in accomplishing their theft and to be sophisticated in how to take advantage of the stolen numbers. The data was used to run up thousands of improper charges across the globe to the customers' accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse." 659 F3d at 164. Here, plaintiffs have alleged no actual identity theft or financial harm, other 24 than credit monitoring and similar mitigation costs. Plaintiffs have not offered a cogent 25 basis "for overruling Oregon's well-established negligence requirements," Lowe, 344 Or 11 1 at 415, which require the allegation of such present injury. We therefore reach the same 2 conclusion with respect to credit monitoring, when there has been no present injury to 3 credit or financial interest, as we did in Lowe regarding medical monitoring when there 4 was no present injury: "[N]egligent conduct that results only in a significantly increased 5 risk of future injury that requires * * * monitoring does not give rise to a claim for 6 negligence." Id. at 415. 7 B. Damages for Emotional Distress 8 9 Plaintiffs also seek damages for what they describe as "worry and emotional distress associated with the initial disclosure and the risk of any future 10 subsequent identity theft." This court consistently has rejected claims for emotional 11 distress damages caused by a defendant's negligence, in the absence of any physical 12 injury. Hammond, 312 Or at 23-24. We have, however, allowed claims for emotional 13 distress damages in three situations, as summarized in Hammond: (1) "where the 14 defendant intended to inflict severe emotional distress," id. at 22; (2) "where the 15 defendant intended to do the painful act with knowledge that it will cause grave distress, 16 when the defendant's position in relation to the plaintiff involves some responsibility 17 aside from the tort itself," id.; and (3) "where the defendant's conduct infringed on some 18 legally protected interest apart from causing the claimed distress, even when that conduct 19 was only negligent," id. at 23. Here, it is undisputed that defendant did not intend to 20 inflict distress on plaintiffs or to have its property stolen. Plaintiffs therefore argue that 21 defendant's negligence infringed a "legally protected interest" of plaintiffs. We turn to 22 that issue. 12 1 Plaintiffs identify several sources of their claimed "legally protected 2 interest." They note that the physician-patient relationship gives rise to a duty by the 3 physician to keep the patient's medical records confidential. See Humphers v. First 4 Interstate Bank, 298 Or 706, 720, 696 P2d 527 (1985) (identifying such a right).7 They 5 assert that defendant violated that and similar duties. Plaintiffs also argue that federal 6 and state statutes require defendant to keep their medical records confidential. By 7 allowing the tapes and disks containing patient care information to be stolen, plaintiffs 8 contend, defendant infringed plaintiffs' legally protected interest in their confidential 9 medical records, providing a basis for plaintiffs to recover for negligent infliction of 10 emotional distress. 11 Defendant responds that, even in the context of a physician-patient 12 relationship, a physician does not have a general duty to guard against emotional harm. 13 See Curtis v. MRI Imaging Services II, 327 Or 9, 15-16, 956 P2d 960 (1998) (so holding). 14 Only if the physician is subject to a specific standard of care "to guard against recognized 15 medical risks that happen to be psychological in nature," may that physician be liable for 16 emotional distress in a negligence action. Id. at 15 (emphasis omitted); see also 17 Rathgeber v. James Hemenway, Inc., 335 Or 404, 418, 69 P3d 710 (2003) ("It is always 18 foreseeable that some emotional harm might result from the negligent performance of 7 As noted in our discussion of economic damages, plaintiffs do not allege a physician-patient relationship with defendant. Rather, they argue that defendant's status as a health care provider imposed on defendant a similar duty to keep medical records confidential. 13 1 * * * professional services * * *. That possibility, however, cannot give rise to emotional 2 distress damages unless a standard of care that includes the duty to protect a client from 3 emotional harm governs the professional's conduct."). Defendant argues that the Court of 4 Appeals in this case correctly held that Oregon cases do not support plaintiffs' assertion 5 that their relationship with defendant gave rise to a duty on the part of defendant to 6 protect them against the risk of emotional distress that might arise if their personal 7 information was stolen as a result of defendant's negligence. See Paul, 237 Or App at 8 600 (in absence of "affirmative" breach of duty of confidentiality or special relationship 9 imposing on defendant a duty to protect plaintiffs from emotional distress, plaintiffs 10 11 failed to state a negligence claim for emotional distress damages). For reasons similar to those discussed above with respect to plaintiffs' claim 12 for economic damages, we need not, in this case, decide whether a health care provider 13 can be liable in negligence for the emotional distress damages of its patients that may 14 result from the misuse of their personal information. Assuming, without deciding, that 15 defendant does owe a duty to plaintiffs to protect them from such harm -- under Oregon 16 tort cases or derived from the health care information statutes that the parties cite -- we 17 conclude that plaintiffs' allegations of injury here are insufficient to state a claim for 18 emotional distress damages. As we have already observed, plaintiffs' alleged emotional 19 distress is premised entirely on the risk of future identity theft, and not on any actual 20 identity theft or present financial harm. No case from Oregon -- or, as far as we can tell, 21 any other jurisdiction -- supports the claim that plaintiffs make here. 22 As noted, plaintiffs allege that, because of defendant's negligence, computer 14 1 disks and tapes containing their confidential information were stolen. Plaintiffs further 2 allege that they suffered "worry and emotional distress associated with the initial 3 disclosure and the risk of any future subsequent identity theft." Although plaintiffs argue 4 that they suffered present, and not merely future distress, the complaint makes clear that 5 the present distress is based not on any present harm to their credit or financial well- 6 being, but solely on their apprehension of an increased risk of some future harm. In that 7 respect, the claimed harm is similar to the out-of-pocket expenses that plaintiffs claimed 8 as economic damages and that we rejected above. 9 The differences between the damages alleged here and the damages alleged 10 in other negligence cases where we have recognized emotional distress claims make the 11 point. In Nearing v. Weaver, 295 Or 702, 707, 670 P2d 137 (1983), for example, the 12 plaintiff suffered emotional distress after she was confronted by her husband multiple 13 times, in violation of a restraining order. The plaintiff had notified the police after the 14 first violation, and the police were required by law to arrest the husband at that time, but 15 they had failed to do so. We held that the law requiring arrest established a legal right 16 independent of the ordinary tort elements of a negligence action and that the plaintiff 17 could recover in negligence for emotional distress caused by defendant's violation of that 18 right. Id. at 708-09. In contrast to this case, however, the plaintiff in Nearing had, in 19 fact, been confronted by her husband, in violation of the restraining order. Her emotional 20 distress was not based solely on her concern over a future contingency, but on present 21 injury. Similarly, in McEvoy v. Helikson, 277 Or 781, 789, 562 P2d 540 (1977), we held 22 that the plaintiff had stated a claim for negligent infliction of emotional distress when the 15 1 defendant, an attorney, violated the terms of a divorce decree by not retaining certain 2 passports that he was required to hold. Again, the plaintiff's emotional distress damages 3 were not based on a possible future harm, but on the fact that the plaintiff's ex-wife in 4 fact obtained the passports and fled the country with the plaintiff's child. 5 Here, as discussed in detail above, plaintiffs do not allege -- and nothing in 6 the record suggests -- that any third party ever viewed any of the personal information 7 stolen from defendant or that any of the information was ever used for identity theft 8 purposes or in any other manner.8 This case also differs from Humphers, on which 9 plaintiffs rely. In Humphers, plaintiff's physician disclosed the plaintiff's identity to her 10 daughter, who had been given up for adoption, in violation of Oregon statutes requiring 11 physicians to keep such information confidential. In contrast to this case, the confidential 12 information there was released intentionally and it was actually made known -- disclosed 13 -- to a third party. 298 Or at 720-21. Another case on which plaintiffs rely, Biddle v. 14 Warren Gen. Hosp., 86 Ohio St 3d 395, 715 NE 2d 518 (1999), is similarly 15 distinguishable. There, the court held a hospital liable for emotional distress damages 16 when it sent medical records for all of its patients to a law firm to screen for supplemental 8 We recognize that the Court of Appeals has considered -- and rejected -- a claim for emotional distress damages by a depositor whose bank negligently permitted his personal information to be disclosed and which subsequently was used to the depositor's detriment by third parties. See Stevens v. First Interstate Bank, 167 Or App 280, 999 P2d 551, rev den, 331 Or 429 (2000). The basis for the emotional distress claim there thus differs from plaintiffs' allegations here; we have no occasion to consider the issue decided by the Court of Appeals in Stevens. 16 1 security income benefits without the patients' consent. Id. at 405. As in Humphers, the 2 release of the information by the hospital in Biddle was intentional, and the confidential 3 medical records were actually made known to unauthorized third parties. Id. In those 4 cases, the claim for damages for emotional distress was not based simply on the risk that 5 some third person might view or misuse the plaintiffs' confidential information in the 6 future, but on actual present viewing and use of the information. 7 We are aware of no other jurisdiction that has allowed recovery for 8 negligent infliction of emotional distress in circumstances where the alleged distress is 9 based solely on concern over the increased risk that a plaintiff's personal information 10 will, at some point in the future, be viewed or used in a manner that could cause the 11 plaintiff harm. Courts that have considered such claims have uniformly rejected them. 12 See, e.g., Reilly, 664 F3d at 45 (claim for emotional distress from increased risk of 13 identity theft was not injury-in-fact); Amburgy v. Express Scripts, Inc., 671 F Supp 2d 14 1046, 1055 (ED Mo 2009) (no recovery for damages for emotional distress caused by 15 increased risk of future identity theft when defendant's negligence resulted in theft of 16 patient records); Pinero v. Jackson Hewitt Tax Service., Inc. 594 F Supp 2d 710, 716 (ED 17 La 2009) (damages for fear of loss from future identify theft not recoverable); Randolph 18 v. ING Life Ins. and Annuity Co., 973 A2d 702, 708 (DC 2009) (no damages recoverable 19 for fear of identity theft). 20 Plaintiffs' arguments here are grounded in plausible concerns over the 21 potential for identity theft that exists whenever personal information is stolen. State and 22 federal statutes impose requirements that seek to address those risks, and enforcement 17 1 actions under those statutes -- like the enforcement action taken against defendant by the 2 Attorney General -- can help ensure compliance by those subject to such laws. However, 3 as with plaintiffs' claim for economic damages, Oregon law does not provide a private 4 right of action for emotional distress damages when those damages are based only on the 5 risk of some future harm. For those reasons, we conclude that plaintiffs have failed to 6 state a claim for damages for emotional distress. 7 III. UNLAWFUL TRADE PRACTICES ACT 8 Plaintiffs also allege that defendant violated the UTPA, ORS 646.605 to 9 646.652. That statute allows a person to seek damages and equitable relief if the person 10 has suffered "any ascertainable loss of money or property * * * as a result of willful use 11 or employment by another person of a method, act or practice declared unlawful by ORS 12 646.608." ORS 646.638(1) (2005).9 Plaintiffs assert that defendant violated ORS 13 646.608(1)(e) and (g)10 by representing that "all information gathered to sell its services 9 ORS 646.638(1) (2005) was amended by Oregon Laws 2009, chapter 327, section 1, and Oregon Laws 2009, chapter 552, sections 6 and 7. Those amendments are inapplicable to this case. 10 ORS 646.608(1)(e) and (g) provide: "A person engages in an unlawful practice when in the course of the person's business, vocation or occupation the person does any of the following: "* * * * * "(e) Represents that real estate, goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, quantities or qualities that they do not have * * *. 18 1 or goods would be safeguarded and kept confidential when it knew that it lacked 2 adequate means to safeguard such information" and that "the business of sale of services 3 and goods would include privacy and confidentiality when it knew that the transactions 4 were not confidential due to its inadequate data protection program." 5 The Court of Appeals denied plaintiffs' claim because plaintiffs did not 6 allege an "ascertainable loss of money or property," as required to recover under the 7 UTPA: 8 9 10 11 "[T]he thrust of plaintiffs' allegations is that, as a result of defendant's violation of the UTPA, they have been threatened with a loss of money or property due to the theft of their financial data, and they seek to recover damages for money that they have spent to forestall those threatened losses. 12 "* * * * * 13 14 15 "Plaintiffs have directed us to no authority -- and we are aware of none -for the proposition that such a 'once removed' loss is a loss covered under the UTPA." 16 17 Paul, 237 Or App at 603-04 (emphasis in original). As our earlier discussion of plaintiffs' negligence claim indicates, the Court 18 of Appeals correctly characterized plaintiffs' "loss" as money that they expended to 19 prevent or mitigate the possible future use or disclosure of their confidential information 20 by a third party. That expenditure of money is not the kind of loss compensable under "* * * * * "(g) Represents that real estate, goods or services are of a particular standard, quality, or grade, or that real estate or goods are of a particular style or model, if they are of another." 19 1 the UTPA, because the expenditure is not based on any present harm to plaintiffs' 2 economic interests. There is no indication that the UTPA was intended to protect against 3 such speculative losses as the risk of identity theft, and plaintiffs have presented no 4 argument that would support such an interpretation. Accordingly, plaintiffs have not 5 stated a claim under the UTPA for the "loss" they incurred to prevent a future harm.11 6 7 The decision of the Court of Appeals and the judgment of the circuit court are affirmed. 11 Because we conclude that plaintiffs have not alleged an ascertainable loss that is the result of defendant's conduct, we do not address defendant's alternative argument that defendant's conduct did not constitute a representation that defendant's services had "characteristics" that they lacked or were of a "particular standard, quality, or grade" when they were of another. See ORS 646.608(1) (defining unlawful trade practices). 20