Plaintiffs brought this class action after unencrypted records containing personal, medical, and financial information of an estimated 365,000 patients were stolen from the car of one of defendant’s employees. Plaintiffs alleged that defendant had negligently failed to safeguard those records and that defendant had violated the Unlawful Trade Practices Act (UTPA) by representing that it would keep patient information confidential when it knew that it had not taken sufficient steps to ensure that. Plaintiffs sought injunctive relief and damages for past and future costs of credit-monitoring services to protect against identity theft and for emotional distress. The trial court granted defendant’s ORCP 21 A(8) motions to dismiss plaintiffs’ complaint for failure to state a claim, concluding that the relief sought was barred by
Lowe v. Philip Morris USA,
Inc.,
I. BACKGROUND
When reviewing an order granting a motion to dismiss for failure to state a claim, we accept as true all well-pleaded facts in the complaint and give the party opposing the motion the benefit of all reasonable inferences that can be drawn from those facts.
Caba v. Barker,
The facts alleged in this case are few: An employee of defendant, a medical care provider, took computer disks and tapes home and left them in his car overnight, and thеy were stolen. The disks and tapes contained unencrypted patient records for approximately 365,000 individuals; the records included names, addresses, phone numbers, Social Security numbers, and patient care information. Approximately three-and-one-half weeks after the theft, defendant sent letters to each person whose information was contained on the *587 stolen disks and tapes, alerting them to the loss of data and advising them to take precautions to protect themselves. Plaintiffs subsequently filed this action as a class action on behalf of all people whose information was contained on the disks and tapes.
As a result of the theft, plaintiffs and class members allege that they have been exposed to “loss of privacy, to past and future out-of-pocket losses associated with monitoring credit reports and placing and maintaining fraud alerts, to credit injuries inherent in credit monitoring and placing and maintaining fraud alerts, and to repair costs of credit damage caused by the theft of data.” Their complaint pleaded two claims for relief: negligence and violation of the UTPA.
In their claim for negligence, plaintiffs sought relief under theories of negligence per se and common-law negligence. The former was predicated on defendant’s alleged failure to comply with federal and state law providing for the protection of medical information, specifically ORS 192.518 et seq. and 45 CFR Parts 160 and 164. With regard to the latter claim, plaintiffs alleged that defendant was negligent “in failing to safeguard the data, in failing to encrypt it, in allowing its agent or employee to store such data in his or her car, and in failing to put in place policies that would protect such data from theft and disclosure.” The injury alleged with respect to both theories was the same—
“financial injury in the form of past and future costs to monitor credit reports, recurring future costs to notify and re-notify credit bureaus of fraud alerts, costs of notification to the Social Security Administration, the Immigration and Naturalization Agency, the Internal Revenue Service, State and Local law enforcement agencies and possible future costs of repair of identity theft.”
In their second claim for relief, plaintiffs alleged that defendant had violated the UTPA 1 by (1) “representing that all information gathered to sell its services or goods would be safeguarded and kept confidential when it knew that it *588 lacked adequate means to safeguard such information” and (2) “representing that the business of sale of services and goods would include privacy and confidentiality when it knew that the transactions were not confidential due to its inadequate data protection program.”
With respect to both their negligence and UTPA claims, plaintiffs sought (1) injunctive relief, requiring defendant to “pay for ongoing monitoring of credit reports, notify Social Security of the data loss, fund recurring credit bureau fraud alerts and pay for the future cost of possible loss and damage due to identity theft”; (2) economic damages for “past out-of-pocket expenses for credit monitoring services, credit injury, postage, long distance and time loss from employment to address these issues”; and (3) noneconomic damages for “impairment of access to credit inherent in placing and maintaining fraud alerts, as well as worry and emotional distress associated with the initial disclosure and the risk of any subsequent identity theft.” Plaintiffs did not allege that they or class members have been victims of fraud or identity theft as a result of the stolen disks and tapes or that the information stolen has otherwise been compromised.
Defendant moved under ORCP 21 A(8) to dismiss both of plaintiffs’ claims on the basis that each failed to “state ultimate facts sufficient to state a claim”; it also moved to strike plaintiffs’ class allegations pursuant to ORCP 321 and 32 E(4). The trial court granted defendant’s motions and subsequently entered a judgment dismissing plaintiffs’ complaint with prejudice. As noted, plaintiffs challenge both rulings on appeal; however, our disposition with respect to the former- — -that the trial court was correct in dismissing plaintiffs’ claims under ORCP 21 A(8) — obviates the need to address thе latter.
II. ANALYSIS
A. Plaintiffs’ Negligence Claim
Citing our opinion in
Lowe I,
the trial court concluded that plaintiffs had failed to state a claim for negligence because “the damages prayed for [are] not compensable under Oregon law.”
2
Thus, the issue on appeal reduces to
*589
whether plaintiffs’ complaint alleged an injury cognizable under Oregon negligence law.
Zehr v. Haugen,
To recover in negligence, a plaintiff must suffer harm “to an interest of a kind that the law protects against negligent invasion.”
Solberg v. Johnson,
On appeal, the Supreme Court considered two questions: (1) whether a significantly increased risk of future physical injury is, by itself, a sufficient harm to state a claim in negligence; and (2) whether the economic cost of *590 undergoing periodic medical screening constitutes a sufficient harm for that purpose. Id. at 419.
The court readily resolved the first question in the negative, based on its earlier precedents, particularly
Zehr,
“Plaintiff has not alleged that her exposure to defendants’ products has resulted in any present physical effect, much less any present physical harm. Nor has she alleged that any future physical harm to her is certain to follow as a result of that exposure. Rather, she has alleged only that her exposure to defendants’ products has significantly increased the risk that she will contract lung cancer sometime in the future. It is sufficient for the purposes of this case to hold only that, under Zehr and Bollam, the threаt of future physical harm that plaintiff has alleged is not sufficient to give rise to a negligence claim.”
Id. at 411.
The court then turned to the second issue — which most significantly bears on our analysis here — that is, whether, as the plaintiff argued, the economic cost of ongoing medical monitoring was a sufficient injury to provide a basis for a negligence claim. The court held that it was not, invoking the principle of Oregon negligence law that “[o]ne ordinarily is not liable for negligently causing a stranger’s purely economic loss,” but, rather, “liability for purely economic harm must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable harm.”
Here, plaintiffs have not alleged any physical injury, or even, as in
Lowe,
the threat of future physical injury. Rather, aside from their claim for emotional distress damages, which we address separately below, plaintiffs’ claims allege purely economic loss without any injury to persons or property. As described above, the complaint alleges that plaintiffs “suffered financial injury” related to the costs of credit-monitoring services, notification, and fraud alerts, and possible future costs of repair of identity theft — similar to the damages for medical monitoring alleged by the plaintiff in
Lowe.
Thus, as the Supreme Court reemphasized in
Lowe II,
to state a legally sufficient claim fоr negligence, plaintiffs must, at the least, identify a duty that defendant owed them — beyond the common-law duty to exercise reasonable care — to guard against that economic harm.
The existence of such a duty arises from the nature of the parties’ relationship.
Onita Pacific Corp. v. Trustees of Bronson,
“In Onita, this court described the relationships summarized above [that is, those giving rise to the requisite heightened duty of care] as those in which the party who owes a duty of care is acting, ‘at least in part, * * * to further the economic interests of the “client,” the person owed the duty of care.’315 Or at 161 . Another way to characterize the types of relationships in which a heightened duty of care exists is that the party who owes the duty has a special responsibility toward the other party. This is so because the party who is owed the duty effectively has authorized the party who owes the duty to exercise independent judgment in the former party’s behalf and in the former party’s interests. In doing so, the party who is owed the duty is placed in a position of reliance upon the party who owes the duty; that is, because the former has given responsibility and control over the situation at issue to the latter, the former has a right to rely upon the latter to achieve a desired outcome or resolution.
“This special responsibility exists in situations in which one party has hired the other in a professional capacity, as well as in principal-agent and other similar relationships. It also exists in the type of situation described in Georgetown Realty [v. The Home Ins. Co.,313 Or 97 ,831 P2d 7 (1992)], in which one party has relinquished control over the subject matter of the relationship to the other party and has placed its potential monetary liability in the other’s hands. In all those relationships, one party has authorized the other to exercisе independent judgment in his or her behalf and, consequently, the party who owes the duty has a special responsibility to administer, oversee, or otherwise take care of certain affairs belonging to the other party.”
(Emphasis in original.)
As in Lowe, plaintiffs here have failed to identify any such heightened duty of care to protect against economic harm arising out of the relationship between themselves as patients and defendant as a health care provider, and, indeed, they never squarely address the question at all. To the extent they argue that federal and state laws protecting the confidentiality of health information establish that duty, *593 we disagree. 4 Although we agree that those statutes and rules establish standards of conduct, any violation of those standards does not give rise to a negligence per se claim for economic damages in the absence of a special relationship that protects against that type of injury. Thus, as in Lowe II, plaintiffs have failed to allege a legally sufficient claim for negligence as a result of the economic damages that they have allegedly incurred (or will incur) in protecting against the increased risk of identity theft that they face as a result of the theft of their medical records.
Plaintiffs’ claim for emotional distress damages presents a related, but slightly different question. The complaint alleged that
“plaintiffs and class members have suffered non-economic damages in the past and will do so in the future in the form of* * * worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identify theft, all to their non-economic damage in amounts to be proved at trial.”
(Emphasis added.)
Negligent infliction of emotional distress may be actionable without physical injury if the negligent conduct infringed on an interest beyond those that are protected under the general obligation to exercise reasonable care to prevent foreseeable harm.
Hammond v. Central Lane Communications Center,
We begin with
Humphers v. First Interstate Bank,
“A physician’s duty to keep medical and related information about a patient in confidence is beyond question. It is imposed by statute. ORS 677.190(5) provides for disqualifying or otherwise disciplining a physician for ‘willfully or negligently divulging a professional secret.’ * * * The actionable wrong is the breach of duty in a confidential relationship!.]
“* * * Given [the constraints of other statutes that seek to preserve the secrecy of adoption records], there is no privilege to disregard the professional duty imposed by ORS 677.190(5) solely in order to satisfy the curiosity of the person who was given up for adoption.”
Id. at 720-21. The court thus concluded that the plaintiff had a cognizable “claim of breach of confidentiality in a confidential relationship.” Id. at 721. However, as defendant points out, that claim was based on the affirmative — rather than *595 negligent — disclosure of confidential information, which plaintiffs here do not allege.
In
Stevens v. First Interstate Bank,
“Where a third party misappropriates personal or credit information that a depositor had provided to a bank, and that misappropriation is the result of the bank’s failure to adequately protect the information from such misappropriation, is the bank liable for the depositor’s resulting emotional distress?”
Id.
at 285-86. So framed, we held that the plaintiffs could not sustain a claim for “breach of confidentiality.” Citing, among other authorities,
Humphers,
“The gravamen of the tort of breach of confidentiality, in Oregon and nationally, is the affirmative disclosure of information by a person to whom the confidential information has been entrusted. * * * Plaintiffs identify no authority— and we have found none — that expands the tort to impose liability where the defendant has not affirmatively disclosed the ‘entrusted’ or ‘confidential’ information. We decline to do so.”
Stevens,
In this case, it is undisputed that plaintiffs’ complaint does not allege that defendant affirmatively disclosed plaintiffs’ confidential information. In fact, plaintiffs’ allegations here are remarkably similar to those in Stevens, *596 namely, that defendant failed to adequately protect plaintiffs’ confidential information from misappropriation, and, as a result, they suffered “worry and emotional distress.” Thus, contrary to plaintiffs’ assertion, neither Humphers nor the “physician duty of confidentiality” prescribed in ORS 677.190(5) supports plaintiffs’ position that they would be entitled to recover in negligence for emotional distress damages suffered as a result of defendant’s conduct.
However, our analysis in
Stevens
did not end with breach of confidentiality. Rather, notwithstanding the failure of that claim, we did not foreclose the possibility of recovery under a common-law negligence theory if, as we explained, the plaintiffs could demonstrate that their relationship with the bank “gave rise to some distinct ‘legally protected interest’ ” beyond those protected by generic, common-law foreseeability.
“the depositor-bank relationship is, in our view, more analogous to a merchant-customer relationship in which the customer, in transacting a credit card or other noncash purchase, provides certain information to the merchant. There, as here, the relationship is at arm’s length, to achieve a specific economic end, and does not require the merchant to exercise independent judgment on the customer’s behalf.” 6
Id. at 287-88 (citations and footnote omitted).
Significantly, in reaching that conclusion, we distinguished our earlier decision in
Banaitis v. Mitsubishi Bank, Ltd.,
Plaintiffs nonetheless insist that there are “critical differences between medical patient information and bank customer information” and that “[t]he nature of the underlying injury — disclosure of patient confidences — distinguishes this case from the litany of financial cases on which [defendant] relies.” Plaintiffs fail, however, to idеntify those critical differences or explain why they compel a different result under the Conway construct. Specifically, plaintiffs fail to explain why the relationship between a medical provider and its patient gives rise to a duty on behalf of that provider to protect patient information from disclosure beyond the generic common-law duty to take reasonable steps to protect against foreseeable harm — in other words, why that relationship creates a legally protected interest in having defendant guard patients from the possibility of emotional distress caused by the loss of their personal medical information through theft.
To the extent that plaintiffs’ argument implicates the physician-patient relationship as a source for the heightened standard of care necessary tо recover emotional distress damages, prior case law from this court and the Supreme Court does not support that view.
Curtis v. MRI Imaging Services II,
The Supreme Court disagreed, concluding that the plaintiff had adequately pleaded a claim for relief. 8 The court explained:
“[W]hen the claim is that a medical practitioner breached a prоfessional duty to guard against a specified medical harm, the fact that that harm is psychological rather than physical is not a bar to liability. Our holding should not be read to mean that medical professionals operate under a general duty to avoid any emotional harm that foreseeably might result from their conduct. In that regard, their duty is no greater than that of the population at large. But, where the standard of care in a particular medical profession recognizes the possibility of adverse psychological reactions or consequences as a medical concern and dictates that certain precautions be taken to avoid or minimize it, the law will not insulate persons in that profession from liability if they fail in those duties, thereby causing the contemplated harm”
*599
We applied that principle in
Rustvold v. Taylor,
We held that the plaintiff had failed to establish the existence of a duty — apart from the duty to avoid foreseeable risk of harm — necessary to satisfy the exception to the requirement that there be evidence of concomitant physical injury in order to recover for psychological distress. In doing so, we rejected the plaintiffs argument that the mere fact of the physician-patient relationship itself establishes that duty, holding that, although that relationship
“can
includе a specific duty the violation of which may support a claim for negligent infliction of emotional distress” it does not
“always
* * * include such a specific duty.”
Id.
at 138-39 (emphasis in original). We concluded that the plaintiff had failed to provide evidence of such a specific duty — that is, the plaintiff had failed to establish the existence of “ ‘a standard of care that includes a specific duty
to be aware of and guard against [the]particular psychological reactions or consequences’
” the plaintiff allegedly suffered.
Id.
at 135 (quoting
Curtis,
This case suffers from an analogous deficiency. Here, plaintiffs have failed to identify an independent standard of care that includes the duty to guard against the specific harm they allege — viz., the emotional trauma associated with the loss of personal medical information as a result of theft.
*600 In sum, plaintiffs have failed to identify a duty defendant owes thеm, beyond the duty to exercise reasonable care, sufficient to support a claim in negligence for economic damages. Plaintiffs have also failed to state a claim in negligence for their emotional distress damages because they do not allege an affirmative disclosure by defendant of their confidential personal and medical information, nor do they allege facts sufficient to support an inference of a specific professional duty by defendant to protect against emotional distress caused by the theft of that information. Thus, on this record, the trial court did not err in dismissing plaintiffs’ negligence claim.
B. Plaintiffs’ Unlawful Trade Practices Act Claim
Subject to an exception not applicable here, under the UTPA,
“any person who suffers any ascertainable loss of money or property, real or personal, as a result of willful use or employment by another person of a method, act or practice declared unlawful by ORS 646.608, may bring an individual action in an appropriate court to recover actual damages or $200, whichever is greater. The court or the jury, as the case may be, may award punitive damages and the court may provide the equitable relief the court considers necessary or proper.”
ORS 646.638(1) (2005). 9 Plaintiffs here alleged that defendant had violated ORS 646.608(1)(e) and (g), which provide:
“(1) A person engages in an unlawful practice when in the course of the person’s business, vocation or occupation the person does any of the following:
“(e) Represents that real estate, goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, quantities or qualities that they do not have * * *.
“* * * * *
“(g) Represents that real estate, goods or services are of a particular standard, quality, or grade, or that real *601 estate or goods are of a particular style or model, if they are of another.”
In particular, plaintiffs alleged that defendant violated those provisions by representing that “all information gathered to sell its services or goods would be safeguarded and kept confidential when it knew that it lacked adequate means to safeguard such information” and that “the business of sale of services and goods would include privacy and confidentiality when it knew that the transactions were not confidential due to its inadequate data protection program.” As we understand it, plaintiffs’ theory is that, as a provider of medical services to which state and federal confidentiality laws apply, defendant represented, in offering medical services and products for sale, that it would keep patients’ private information confidential. Because defendant did not have procedures and practices in place to protect against the loss by theft of that information, patient records did not have that characteristic of confidentiality and, thus, defendant’s services were not of the standard or quality represented.
The trial court granted defendant’s motion to dismiss plaintiffs’ claim, stating in its order only that “the damages prayed for [are] not compensable under Oregon law.
See Lowe v. Philip Morris USA, Inc.,
Plaintiffs contest that ruling, arguing that they properly alleged “ascertainable loss” in the form of out-of-pocket expenses incurred for “credit monitoring services, credit injury, postage, long distance and time loss from employment.” Defendant, on the other hand, contends that plaintiffs suffered no loss for the same reason that it believes their negligence claim fails — meaning, presumably, because any expenses incurred were in anticipation of preventing future harm, not the result of an existing harm. The trial court’s reference to Lowe I — which did not address the UTPA — suggests the same.
*602
We agree with the trial court. The question is whether plaintiffs have adequately pleaded “any ascertainable loss” as “a result of’ defendant’s alleged misrepresentation with respect to the confidentiality of patient records. “Ascertainable” means “capable of being discovered, observed, or established.”
Scott v. Western Int. Sales,
Inc.,
“What the legislature meant by an ‘ascertainable loss of money or property” is not free from doubt.”
10
Weigel v. Ron Tonkin Chevrolet Co.,
Here, plaintiffs do not allege such a difference in value. 11 Rather, the thrust of plaintiffs’ allegations is that, as a result of defendant’s violation of the UTPA, they have been threatened with a loss of money or property due to the theft of their financial data, and they seek to recover damages for money that they have spent to forestall those threatened losses.
Although not directly on point,
Gemignani v. Pete,
“By the time of the delivery of the [warranty] deed, they already had made all the required payments. Whether the deed warranted clear title or not, they still would have lost *604 their home to the bank. Thus, the loss of their home was not an ascertainable loss within the meaning of the UTPA.”
Id. at 591. Similarly, we rejected the plaintiffs’ claim for attorney fees incurred in the defendant’s subsequent bankruptcy proceedings, on the basis that their participation in those proceedings was “occasioned,” not by the misrepresentations in the deed, but by the existence of the bank’s lien. Id.
Here, too, we fail to understand how the money expended by plaintiffs is a loss occasioned by the alleged UTPA violations. In short, rather than allege a loss of money or property as a result of defendant’s misrepresentations, plaintiffs’ complaint alleges out-of-pocket expenses to prevent a potential loss of money or property (through identity theft) that might result from the misrepresentations. Plaintiffs have directed us to no authority — and we are aware of none — for the proposition that such a “once removed” loss is a loss covered under the UTPA. We conclude that the money spent to prevent a potential ascertainable loss under the UTPA is not itself an “ascertainable loss of money or property, real or personal, as a result of’ a violation of the statute.
III. CONCLUSION
In conclusion, we agree with the trial сourt that plaintiffs failed to state a legally sufficient claim for negligence or under the UTPA. The trial court properly granted defendant’s motion to dismiss.
Affirmed.
Notes
Relevant provisions of the UTPA are set out in full below; in general, the act authorizes an individual action for damages and equitable relief by a person who has “suffer[ed] any ascertainable loss of money or property” as a result of an unlawful trade practice. ORS 646.638(1) (2005)
(see
The Supreme Court issued its opinion (Lowe II) affirming our decision in Lowe I after the trial court had granted defendant’s motions and dismissed plaintiffs’ complaint.
The court explicitly declined the plaintiffs suggestion that it should reconsider those “well-established” requirements of Oregon negligence law so that the defendants would be required to bear the costs of medical monitoring, consistently with the law of some other jurisdictions. The court noted that there were well-reasonеd arguments on both sides of the issue but that they did not provide a basis for overruling the Oregon cases that had established Oregon’s requirements.
Lowe II,
In the context of their negligence per se claim, plaintiffs refer to a standard of care established by those provisions. Specifically, they refer to ORS 192.518(1)(a), which states that “[i]t is the policy of the State of Oregon that an individual has [t]he right to have protected health information of the individual safeguarded from unlawful use or disclosure,” and ORS 192.520, which governs the authorized uses or disclosures of that information. They also cite 45 CFR § 164.306, authorized under the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA). Among other things, that regulation requires “[c]overed entities” to “[e]nsure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits,” and to “protect against any reasonably anticipated” threats to the security or unauthorized disclosure of that information. 45 CFR § 164.306(a)(1)-(3).
In particular, in addition to ORS 192.518 and 45 CFR § 164.306 (described above,
The framework for that analysis, as we noted, was set out in
Conway,
Specifically, the plaintiff alleged severe emotional distress resulting from the defendants’ failure to (1) properly explain the nature of an MRI procedure,
*598
particularly its possible claustrophobic effects; (2) take an adequate history of his preexisting asthmatic condition; (3) properly monitor him during the рrocedure; and (4) terminate the procedure when he complained of breathing difficulties.
Curtis,
The court concluded that it need not decide whether, as the parties had argued it, “negligent infliction of emotional distress is the relevant claim,” because the plaintiff had adequately pleaded a claim for relief based on “medical malpractice.”
Curtis,
The statute has since been amended. Or Laws 2009, ch 327, § 1; Or Laws 2009, ch 552, §§ 6-7. Those amendments are inapplicable in this case.
It is clear that the magnitude of the loss is not dispositive. As the court explained in Weigel, the text of the UTPA as a whole — including the $200 statutory damages provision — suggests that,
“in enacting ORS 646.638, the legislature was concerned as much with devising sanctions for the prescribed standards of trade and commerce as with remedying private losses, and that such losses therefore should be viewed broadly. The private loss indeed may be so small that the common law likely would reject it as grounds for relief, yet it will support an action under the statute.”
In their brief on appeal, plaintiffs state, without elaboration, “Also, when defendant offered medical services that lacked proper confidentiality features, the services were worth less than the amounts charged.” However, plaintiffs failed to include that allegation in their complaint; accordingly, we do not consider it.