In Paul v. Providence Health System-Oregon, — P.3d —-, 2010 WL 3894650 (Or.App. 2010), the Oregon Court of Appeal rejected a claim by approximately 365,000 individuals whose unencrypted records containing personal, medical, and financial information were stolen from the car of one of defendant’s employees. Plaintiffs alleged that defendant had negligently failed to safeguard those records. Plaintiffs sought injunctive relief and damages for past and future costs of credit-monitoring services to protect against identity theft and for emotional distress With respect to both their negligence and UTPA claims, plaintiffs sought (1) injunctive relief, requiring defendant to “pay for ongoing monitoring of credit reports, notify Social Security of the data loss, fund recurring credit bureau fraud alerts and pay for the future cost of possible loss and damage due to identity theft”; (2) economic damages for “past out-of-pocket expenses for credit monitoring services, credit injury, postage, long distance and time loss from employment to address these issues”; and (3) noneconomic damages for “impairment of access to credit inherent in placing and maintaining fraud alerts, as well as worry and emotional distress associated with the initial disclosure and the risk of any subsequent identity theft.” Plaintiffs did not allege that they or class members have been victims of fraud or identity theft as a result of the stolen disks and tapes or that the information stolen has otherwise been compromised.
The Court rejected the Plaintiff’s claim as a compensable loss, explaining:
[T]he issue on appeal reduces to whether plaintiffs’ complaint alleged an injury cognizable under Oregon negligence law. Zehr v. Haugen, 318 Or 647, 656, 871 P.2d 1006 (1994) (harm to the plaintiff measurable in damages is a necessary element of negligence). As a result, although plaintiffs pleaded theories of common-law negligence and negligence per se, the distinction between the two has limited bearing on our analysis. See Fazzolari v. Portland School Dist. No. 1J, 303 Or 1, 17, 734 P.2d 1326 (1987) (in common-law negligence actions, “the issue of liability for harm actually resulting from defendant’s conduct properly depends on whether that conduct unreasonably created a foreseeable risk to a protected interest of the kind of harm that befell the plaintiff”); Abraham v. T. Henry Construction, Inc., 230 Or.App. 564, 573, 217 P3d 212 (2009), rev allowed, 348 Or 523 (2010) (“Negligence per se * * * is not a distinct cause of action; it is a negligence claim based on violation of a standard of care set out by statute or rule.”). ¶ To recover in negligence, a plaintiff must suffer harm “to an interest of a kind that the law protects against negligent invasion.” Solberg v. Johnson, 306 Or 484, 490, 760 P.2d 867 (1988). . . ¶ On appeal, the Supreme Court considered two questions: (1) whether a significantly increased risk of future physical injury is, by itself, a sufficient harm to state a claim in negligence; and (2) whether the economic cost of undergoing periodic medical screening constitutes a sufficient harm for that purpose. Id. at 419. ¶ The court readily resolved the first question in the negative, based on its earlier precedents, particularly Zehr, 318 Or at 656, in which the court had held that “the threat of future harm, by itself, is insufficient as an allegation of damage in the context of a negli-gence claim,” and Bollam v. Fireman’s Fund Ins. Co., 302 Or 343, 347, 730 P.2d 542 (1986), in which the court had quoted W. Page Keeton, Prosser & Keeton on Torts 165 (5th ed 1984) for the proposition that “ ‘[t]he threat of future harm, not yet realized, is not enough.’ “ Lowe II, 344 Or at 410. Under the reasoning of those cases, the court explained, the plaintiff had failed to allege a cognizable injury for purposes of stating a negligence claim . . . ¶ The court then turned to the second issue-which most significantly bears on our analysis here-that is, whether, as the plaintiff argued, the economic cost of ongoing medical monitoring was a sufficient injury to provide a basis for a negligence claim. The court held that it was not, invoking the principle of Oregon negligence law that “[o]ne ordinarily is not liable for negligently causing a stranger’s purely economic loss,” but, rather, “liability for purely economic harm must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable harm.” 344 Or at 41 (internal quotation marks omitted; bracketed material in original). Because the plaintiff had not identified any such duty, the court held that the alleged economic harm-that is, the cost of medical screening-was not a sufficient injury for purposes of stating a claim for negligence. Id. at 413-14. ¶ Here, plaintiffs have not alleged any physical injury, or even, as in Lowe, the threat of future physical injury. Rather, aside from their claim for emotional distress damages, which we address separately below, plaintiffs’ claims allege purely economic loss without any injury to persons or property. As described above, the complaint alleges that plaintiffs “suffered financial injury” related to the costs of credit-monitoring services, notification, and fraud alerts, and possible future costs of repair of identity theft-similar to the damages for medical monitoring alleged by the plaintiff in Lowe. Thus, as the Supreme Court re-emphasized in Lowe II, to state a legally sufficient claim for negligence, plaintiffs must, at the least, identify a duty that defendant owed them-beyond the common-law duty to exercise reasonable care-to guard against that economic harm. 344 Or at 413-14; see also Hale v. Groce, 304 Or 281, 284, 744 P.2d 1289 (1987) (“It does not suffice that the harm is a foreseeable consequence of negligent conduct that may make one liable to someone else, for instance to a client. Some source of a duty outside the common law of negligence is required.” (Citations omitted.)). ¶ The existence of such a duty arises from the nature of the parties’ relationship. . . ¶ As in Lowe, plaintiffs here have failed to identify any such heightened duty of care to protect against economic harm arising out of the relationship between themselves as patients and defendant as a health care provider, and, indeed, they never squarely address the question at all. To the extent they argue that federal and state laws protecting the confidentiality of health information establish that duty, we disagree. ¶ Although we agree that those statutes and rules establish standards of conduct, any violation of those standards does not give rise to a negligence per se claim for economic damages in the absence of a special relationship that protects against that type of injury. Thus, as in Lowe II, plaintiffs have failed to allege a legally sufficient claim for negligence as a result of the economic damages that they have allegedly incurred (or will incur) in protecting against the increased risk of identity theft that they face as a result of the theft of their medical records.