Let me know whether this sounds familiar. The doctor finishes work for the day. In his office, he uses some form of backup system whereby a disc or tape is created at the end of every day, and the doctor or office manager takes the backup medium home to safeguard the information in case of a fire, flood, earthquake, or other disaster. Generally speaking, it is placed in the doctor’s briefcase with his other papers of the day. When the doctor gets home, he takes his briefcase with him to review whatever he needs to that evening in preparation for the next day’s events. So far, this describes a fairly routine scenario for many of us. Now, suppose the doctor has an engagement after work; upon arriving at his destination, he places his briefcase in the trunk of his car because he does not want to check it at the restaurant he is going to. When he arrives home later that evening, he decides that it’s late, he won’t do any more work that day, he’s going to bed, and he leaves the briefcase securely locked in the trunk to be retrieved tomorrow when he gets to the office. Surprise, his car is broken into overnight, and the briefcase with its contents is stolen. His personal effects are missing, and so are his unencrypted backup discs or tapes containing hundreds (even thousands) of patient files with personal and medical information consisting of not only the patient’s clinical information but also personal information such as names, addresses, phone numbers, social security numbers, birthdates, parent’s information, and the list goes on. By this time, everyone reading this should have that sinking feeling in the pit of your stomach.

The doctor immediately contacts all patients involved, advising them of the loss of the data, profusely apologizing, although it was not his fault, and imploring them to take all necessary precautions to protect themselves from identity theft. Obviously, he will have many ticked-off patients. These are essentially the facts of Paul v Providence Health System-Oregon, 240 P.3d 1110 (Ore. Ct. App., 2010). Subsequently, a number of patients filed a class-action lawsuit against the doctor, claiming as damages that they suffered or will suffer: “financial injury in the form of past and future costs to monitor credit reports, recurring future costs to notify and re-notify credit bureaus of fraud alerts, costs of notification to the Social Security Administration, the Immigration and Naturalization Agency, the Internal Revenue Service, State and Local law enforcement agencies and possible future costs of repair of identity theft.” The plaintiffs cited ORS 192.518 and 45 C.F.R. Parts 160 and 164 as the bases for the doctor’s duty to safeguard the data (protecting it against theft and disclosure, and not having it encrypted). In addition to the acts of negligence stated above, the plaintiffs also asserted that the doctor violated the Unlawful Trade Practices Act in that he misrepresented that “all information gathered to sell its services or goods would be safeguarded and kept confidential when [he] knew that [he] lacked adequate means to safeguard such information” and also that the doctor misrepresented that “the business of sale of services and goods would include privacy and confidentiality when [he] knew that the transactions were not confidential due to [his] inadequate data protection program.” The trial court dismissed all actions because the plaintiffs had failed to state a cause of action since the claim was barred under legal precedent. This appeal ensued.

In Oregon as in all other jurisdictions, to recover in a cause of action based on negligence, the plaintiff must prove that there was a duty to conform to a standard of care, that this standard was breached by the defendant, that the plaintiff suffered “ harm to an interest of a kind that the law protects against ” (cit. omit.) (emphasis added), and that the breach of the duty must have been the direct or proximate cause of the damages or injuries sustained. The basis for this appeal was to answer the question of whether a significantly increased risk of future injury or the projected economic costs of periodic screenings of one’s credit, including the costs of repairing it if necessary, are the types of harm sufficient enough to impute liability on a defendant for negligence. In answering these questions, the court of appeals quoted case law (precedent) and stated:

Plaintiff has not alleged that her exposure to defendant’s products has resulted in any present physical effect, much less any present physical harm. Nor has she alleged that any future physical harm to her is certain to follow as a result of that exposure. Rather, she has alleged only that her exposure to defendant’s product has significantly increased the risk that she will contract lung cancer sometime in the future. . . . [T]he threat of future . . . harm that the plaintiff has alleged is not sufficient to give rise to a negligence claim. (cit. omit.)

In answering the second part of the previous question, the court, citing another case (again, legal precedent), noted that:

One ordinarily is not liable for negligently causing a stranger’s purely economic loss, but rather, liability for purely economic harm must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable harm. (cit. omit.)

The bottom line here was that the plaintiffs alleged all sorts of potential future economic losses rather than actual physical injuries to person or property. It is irrelevant that the harm is a foreseeable consequence of negligent conduct that could make someone liable to another party. For that to be the case, one must have, at its base, a distinct duty owed to that person that is outside the duty relating to claims based on common-law negligence. Such a duty arises from the relationship of the parties to one another and must comprise a heightened responsibility that encompasses protecting the economic interests of the other party. This might exist in such relationships as a principal-agent relationship, or because of the type of situation contemplated by the parties, such as when the defendant has control over the subject matter inherent in the relationship. An example might be when 1 party has placed potential financial liability in the hands of the other, or when 1 party “has a duty to administer, oversee, or otherwise take care of the affairs belonging to the other party.” The court also noted that, although the statutes cited by the plaintiff do establish rules and standards of conduct, any violations of those standards do not automatically give rise to liability based on a claim solely citing economic damages, either real or future.

The court then looked at whether the plaintiffs had stated a viable claim for negligent infliction of emotional distress. The plaintiffs argued that inherent in the doctor-patient relationship is a duty to maintain patient confidentiality. Once again, citing previously adopted case law, the court noted that:

The gravamen of the tort of breach of confidentiality, in Oregon and nationally, is the affirmative disclosure of information by a person to whom the confidential information has been entrusted. Plaintiffs identify no authority—and we have found none—that expands the tort to impose liability where the defendant has not affirmatively disclosed the ‘entrusted’ or ‘confidential’ information. (cit. omit.) (emphasis in original)

Regarding the Unlawful Trade Practices Act, the statute states that “any person who suffers any ascertainable loss of money . . . as a result of [an] . . . act or practice declared unlawful by ORS646.608 . . . may recover actual damages or $200, whichever is greater.” Subsection (1) states that “[a] person engages in unlawful practice when . . . (e) [he] represents that . . . services have . . . characteristics . . . or qualities they do not have” and (g) “represents that . . . services are of a particular standard, quality . . . or a particular style or model, if they are of another.” The plaintiffs claimed that the defendant violated these provisions because he represented that “all information gathered . . . would be safeguarded and kept confidential when [he] knew [he] lacked adequate means to safeguard such information” and, in addition, that the sale of the doctor’s services would “include privacy and confidentiality when [he] knew the transactions were not confidential due to its inadequate data protection program.”

The trial court rejected the claim because the damages claimed were not “an ascertainable loss.” The appellate court affirmed, stating that ascertainable means “capable of being discovered, observed, or established.” Although the plaintiff’s losses would eventually be ascertainable once the costs related to the credit issues were actually undertaken, the real question was whether the plaintiffs alleged any loss of money or property as stated in the statute. Normally, a loss takes the form of the difference in value between the product represented and that which was actually tendered, the difference between the advertised price and the sale price, the difference in characteristics of the property tendered vs the one advertised, and so on. In this case, however, the plaintiffs claimed a threatened loss if a credit issue or an identity-theft issue actually materialized, as well as money spent to forestall those potential losses. Finding that the potential loss of an ascertainable dollar amount was not contemplated by the statute, the court again ruled in favor of the defendant doctor.