The issue in this case is whether a healthcare provider can be liable in damages when the provider’s negligence permitted the theft of its patients’ personal information, but the information was never used or viewed by the thief or any other person. Plaintiffs claimed economic and noneconomic damages for financial injury and emotional distress that they allegedly suffered when, through defendant’s alleged negligence, computer disks and tapes containing personal information from an estimated 365,000 patients (including plaintiffs) were stolen from the car of one of defendant’s employees. The trial court and Court of Appeаls held that plaintiffs had failed to state claims for negligence or for violation of the Unlawful Trade Practices Act (UTPA), ORS 646.605 to 646.652.
Paul v. Providence Health System-Oregon,
I. BACKGROUND AND PROCEEDINGS BELOW
We take the facts from plaintiffs’ third amended complaint. When reviewing a trial court order granting a motion to dismiss, we accept as true all well-pleaded facts in the complaint.
Bailey v. Lewis Farm, Inc.,
*590 Plaintiffs filed this class action on behalf of themsеlves and other individuals whose records had been stolen. Plaintiffs asserted common law negligence and negligence per se claims, alleging that defendant’s conduct had caused them financial injury in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft. 2 Plaintiffs also alleged that they suffered noneconomic damages for the emotional distress caused by the theft of the records and attendant worry over possible identity theft. Plaintiffs did not allege any intentional conduct by defendant. Nor did plaintiffs allege that any unauthorized pеrson ever had accessed any of the information contained on the disks and tapes, or that any plaintiff had suffered any actual financial loss, credit impairment, or identity theft. In addition to their negligence claims, plaintiffs alleged that defendant had violated the UTPA by representing that patient data would be kept confidential when defendant knew that such data was inadequately safeguarded.
Defendant filed a motion to dismiss plaintiffs’ complaint for failure to state ultimate facts sufficient to constitute a claim for relief. The trial court granted defendant’s motion, holding that the damages plaintiffs alleged were not compensable under
Lowe v. Philip Morris USA, Inc.,
*591
Plaintiffs appealed, and the Court of Appeals affirmed. That court began lay analyzing whether plaintiffs had stated a negligence claim for economic damages. To recover damages for purely economic harm, liability “ ‘must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable harm.’ ”
Oregon Steel Mills, Inc. v. Coopers & Lybrand, LLP,
The Court of Appeals then turned to plaintiffs’ claim for damages for emotional distress. A plaintiff may recover damages for emotional distress, in the absence of physical injury, “where the defendant’s conduct infringed on some legally protected interest apart from causing the claimed distress, even when that conduct was only negligent.”
Hammond v. Central Lane Communications Center,
Regarding plaintiffs’ claim under the UTPA, the Court of Appeals held that the only financial harm identified by plaintiffs in their complaint — the out-of-pocket expenses incurred to prevent identity theft — was not an “ascertainable loss” under the UTPA. Id. at 604. That was so because the money that plaintiffs had spent was “to prevent a potential loss” (e.g., financial injury caused by future identity theft) that “might result from the misrepresentations,” but was not itself an ascertainable loss caused by defendant. Id. (emphasis in original).
II. PLAINTIFFS’ NEGLIGENCE CLAIMS
We begin with plaintiffs’ claim for common law negligence. As we recently stated in
Lowe,
“Not all negligently inflicted harms give rise to a negligence claim.”
“Plaintiffs and class members suffered economic damages in the form of past out-of-pocket expenses for credit monitoring services, credit injury, long distance and time loss from employment to address these issues. * * * In addition, plaintiffs and class members have suffered non-economic damages in the past and will do so in the future in the form of impairment of access to credit inherent in placing and maintaining fraud alerts, as well as worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft * * *.”
(Emphasis added.) Thus, plaintiffs allege that defendant’s negligence created the risk of future identify theft, and they seek economic damages for the past and future expense of credit monitoring services and related expenditures made to address the risk of identity theft. They also allege that the increased risk of future identify theft has caused them present and future emotional distress, and they seek damages for that noneconomic injury. Although plaintiffs allege that an unknown person stole digital records containing plaintiffs’ *593 information from defendant’s employee’s car, they do not allege that the thief or any third person actually used plaintiffs’ information in any way that caused financial harm or emotional distress to them. 4 They allege no actual “identity theft,” as that term is used in Oregon statutes, 5 nor do they allege that defendant’s actions caused them actual financial injury, apart from the expenses that they incurred in the form of credit monitoring that they initiated.
A. Damages for Economic Loss
Under the economic loss doctrine, “[0]ne ordinarily is not liable for negligently causing a stranger’s purely economic loss without injuring his person or property.”
Hale v. Groce,
Plaintiffs argue that they are patients of defendant, a healthcare provider, and that that relationship imposes on defendant a duty to protect them against economic loss. They also point to state and federal statutes that require healthcare providers to protect patient information and assert that
*594
those statutes impose a duty or standard of care on defendant that provides a basis for plaintiffs to seek economic damages in a negligence action. Defendants respond that neither the nature of the relationship between plaintiffs and defendant nor the statutes that plaintiffs cite establish the heightened duty of care that would provide a basis for a negligence action to recover economic damages for defendant’s failure to protect plaintiffs’ personal information. As noted, the Court of Appeals agreed with defendant.
See Paul,
We need not resolve the dispute between the parties as to whether common law tort principles or statutes concerning the protection of patient information provide a basis for plaintiffs’ claims for economic damages. Assuming, without deciding, that defendant owed a duty to protect plaintiffs against economic losses, we nevertheless conclude, for the reasons that follow, that plaintiffs’ allegations here are insufficient because plaintiffs do not allege actual, present injury caused by defendant’s conduct.
To the extent that plaintiffs seek damages for
future
harm to their credit or financial well-being,
Lowe
forecloses such a claim because “ ‘the threat of future harm, by itself, is insufficient as an allegation of damage in the context of a negligence claim,’ ”
As this court stated in Lowe, “the fact that a defendant’s negligence poses a threat of future physical harm is not sufficient, standing alone, to constitute an actionable *595 injury.” Id. at 410. We then quoted Prosser and Keeton’s comment that, as the law of negligence developed, “ ‘it retained the rule that proof of damage was an essential part of the plaintiffs case’ ” and that “ ‘[n]ominal damages, to vindicate a technical right, cannot be recovered in a negligence action, where no actual loss has occurred.’ ” Id. (quoting W. Page Keeton, Prosser and Keeton on the Law of Torts § 30,165 (5th ed 1984)). In Lowe, we applied that rule in rejecting a claim for medical monitoring expenses when the plaintiff had suffered no present physical harm.
Although plaintiffs are correct that this case is factually distinguishable from
Lowe
because of the relationship between plaintiffs and defendant here, they are incorrect in arguing that
Lowe
stands for the proposition that, had there been such a relationship in that case, this court would have permitted recovery for monitoring expenses, notwithstanding the absence of some present harm to plaintiffs. As we said in
Lowe,
“Under
Oregon Steel Mills
and a long line of this court’s cases, the present economic harm that defendants’ actions allegedly have causеd — the cost of medical monitoring —is not sufficient to give rise to a negligence claim.”
That conclusion is similar to those reached by other courts that have considered claims for credit monitoring
*596
damages in the absence of present identity theft or other harm. In
Pisciotta v. Old Nat. Bancorp,
In contrast to those cases are several decisions that have allowed at least some damage claims when stolen personal information actually has been used to perpetrate identify theft, causing individuals present financial injury.
Anderson v. Hannaford Bros. Co.,
*597 “Unlike the cases cited by [the defendant], this case does not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties. Here, there was actual misuse, and it was apparently global in reach. The thieves appeared to have expertise in accomplishing their theft and to be sophisticated in how to take advantage of the stolen numbers. The data was used to run up thousands of improper chargеs across the globe to the customers’ accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.”
Here, plaintiffs have alleged no actual identity theft or financial harm, other than credit monitoring and similar mitigation costs. Plaintiffs have not offered a cogent basis “for overruling Oregon’s well-established negligence requirements,”
Lowe,
B. Damages for Emotional Distress
Plaintiffs also seek damages for what they describe as “worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft.” This court consistently has rejected claims for emotional distress damages caused by a defendant’s negligence, in the absence of any physical injury.
Hammond,
Plaintiffs identify several sources of their claimed “legally protected interest.” They note that the physician-patient relationship gives rise to a duty by the physician to keep the patient’s medical records confidential.
See Humphers v. First Interstate Bank,
Defendant responds that, even in the context of a physician-pаtient relationship, a physician does
not
have a general duty to guard against emotional harm.
See Curtis v. MRI Imaging Services II,
For reasons similar to those discussed above with respect to plaintiffs’ claim for economic damages, we need not, in this case, decide whether a healthcare provider can be liable in negligence for the emotional distress damages of its patients that may result from the misuse of their personal information. Assuming, without deciding, that defendant does owe a duty to plaintiffs to protect them from such harm — under Oregon tort cases or derived from the healthcare information statutes that the parties cite — we conclude that plaintiffs’ allegations of injury here are insufficient to state a claim for emotional distress damages. As we have already observed, plаintiffs’ alleged emotional distress is premised entirely on the risk of future identity theft, and not on any actual identity theft or present financial harm. No case from Oregon — or, as far as we can tell, any other jurisdiction — supports the claim that plaintiffs make here.
As noted, plaintiffs allege that, because of defendant’s negligence, computer disks and tapes containing their confidential information were stolen. Plaintiffs further allege that they suffered “worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft.” Although plaintiffs argue that they suffered present, and not merely future distress, the complaint makes clear that the prеsent distress is based not on any present harm to their credit or financial well-being, but solely on their apprehension of an increased risk of some future harm. In that respect, the claimed harm is similar to the out-of-pocket expenses that plaintiffs claimed as economic damages and that we rejected above.
The differences between the damages alleged here and the damages alleged in other negligence cases where we
*600
have recognized emotional distress claims make the point. In
Nearing v. Weaver,
Here, as discussed in detail above, plaintiffs do not allege — and nothing in the record suggests — that any third party ever viewed any of the personal information stolen from defendant or that any of the information was ever used for identity theft purposes or in any other manner.
8
This case also differs from
Humphers,
on which plaintiffs rely. In
Humphers,
plaintiffs physician disclosed the plaintiffs identity to her daughter, who had been given up for adoption, in violation of Oregon statutes requiring physicians to keep such information confidential. In contrast to this case, the
*601
confidential information there was released intentionally and it was actually made known — disclosed—to a third party.
We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiffs personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm. Courts that have considered such claims have uniformly rejected them.
See, e.g., Reilly,
Plaintiffs’ arguments here are grounded in plausible concerns over the potential for identity theft that exists whenever personal information is stolen. State and federal *602 statutes impose requirements that seek to address those risks, and enforcement actions under those statutes — like the enforcement action taken against defendant by the Attorney General — can help ensure compliance by those subject to such laws. However, as with plaintiffs’ claim for economic damages, Oregon law does not provide a private right of action for emotional distress damages when those damages are based only on the risk of some future harm. For those reasons, we conclude that plaintiffs have failed to state a claim for damages for emotional distress.
III. UNLAWFUL TRADE PRACTICES ACT
Plaintiffs also allege that defendant violated the UTPA, ORS 646.605 to 646.652. That statute allows a person to seek damages and equitable relief if the person has suffered “any ascertainable loss of money or property * * * as a result of willful use or employment by another person of a method, act or practice declared unlawful by ORS 646.608.” ORS 646.638(1) (2005). 9 Plaintiffs assert that defendant violated ORS 646.608(l)(e) and (g) 10 by representing that “all information gathered to sell its services or goods would be safeguarded and kept confidential when it knew that it lacked adequate means to safeguard such information” and that “the business of sale of services and goods would include privacy and confidentiality when it knеw that the transactions were not confidential due to its inadequate data protection program.”
*603 The Court of Appeals denied plaintiffs’ claim because plaintiffs did not allege an “ascertainable loss of money or property,” as required to recover under the UTPA:
“[T]he thrust of plaintiffs’ allegations is that, as a result of defendant’s violation of the UTPA, they have been threatened with a loss of money or property due to the theft of their financial data, and they seek to recover damages for money that they have spent to forestall those threatened losses.
* * * *
“Plaintiffs have directed us to no authority — and we are aware of none- — for the proposition that suсh a ‘once removed’ loss is a loss covered under the UTPA.”
Paul,
As our earlier discussion of plaintiffs’ negligence claim indicates, the Court of Appeals correctly characterized plaintiffs’ “loss” as money that they expended to prevent or mitigate the possible future use or disclosure of their confidential information by a third party. That expenditure of money is not the kind of loss compensable under the UTPA, because the expenditure is not based on any present harm to plaintiffs’ economic interests. There is no indication that the UTPA was intended to protect against such speculative losses as the risk of identity theft, and plaintiffs have presented no argument that would support such an interpretation. Accordingly, plaintiffs have not stated a claim under the UTPA for the “loss” they incurred to prevent a future harm. 11
The decision of the Court of Appeals and the judgment of the circuit court are affirmed.
Notes
In 2006, defendant entered into an agreement with the Attorney General under the UTPA pursuant to which defendant agreed to contract with a credit *590 monitoring company to provide two years of credit monitoring and restoration services to any patient who requested it, to reimburse any patient for any financial loss resulting from the misuse of credit or identity theft, and to establish a website and toll-free call center to assist patients with questions related to the theft. Under the agreement, defendant also paid the Attorney General more than $95,000. Defendant estimated the cost of the credit monitoring and other services that it agreed to provide at approximately $7 million.
Plaintiffs did not allege that the theft of the records was a “property loss” to them.
The trial court based its order granting defendant’s motion and dismissing plaintiffs’ complaint on the Court of Appeals decision in Lowe. We subsequently affirmed Lowe.
Indeed, plaintiffs do not allege that the person who stole the records or any third person even viewed their personal information. The information was stоred in digital form on disks and computer tapes, and specialized equipment is required to view or use the information.
A person commits the crime of “identity theft” if the person, “with the intent to deceive or to defraud, obtains, possesses, transfers, creates, utters or converts to the persons own use the personal identification of another person.” ORS 165.800(1). Plaintiffs do not allege that the person who stole the information did so with the required “intent.”
As noted, plaintiffs did not allege that the theft of defendant’s disks and tapes containing plaintiffs’ information was a loss
ofplaintiffs’
property. Accordingly, we have no occasion to consider whether, under Oregon law, such an allegation would state a claim for relief.
See Ruiz v. GAP, Inc.,
As noted in our discussion of economic damages, plaintiffs do not allege a physician-patient relationship with defendant. Rather, they argue that defendant’s status as a healthcare provider imposed on defendant a similar duty to keep medical records confidential.
We recognize that the Court of Appeals has considered — and rejected- — a claim for emotional distress damages hy a depositor whose bank negligently permitted his personal information to be disclosed and which subsequently was used to the depositor’s detriment by third parties.
See Stevens v. First Interstate Bank,
ORS 646.638(1) (2005) was amended by Oregon Laws 2009, chapter 327, section 1, and Oregon Laws 2009, chapter 552, sections 6 and 7. Those amendments are inapplicable to this case.
ORS 646.608(l)(e) and (g) provide:
“A person engages in an unlawful practice when in the course of the person’s business, vocation or occupation the person does any of the following:
* * :¡: #
“(e) Represents that real estate, goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, quantities or qualities that they do not have * * *.
«:f; *
“(g) Represents that real estate, goods or services are of a particular standard, quality, or grade, or that real estate or goods are of a particular style or model, if they are of another.”
Because we conclude that plaintiffs have not alleged an ascertainable loss that is the result of defendant’s conduct, we do not address defendant’s alternative argument that defendant’s conduct did not constitute a representation that defendant’s services had “characteristics” that they lacked or were of a “particular standard, quality, or grade” when they were of another. See ORS 646.608(1) (defining unlawful trade practices).