On February 24, the Oregon Supreme Court held that absent any allegations that stolen personal information was used or viewed by a third party, plaintiffs had not suffered an injury that would support a negligence claim or an action under Oregon’s Unlawful Trade Practices Act in Paul v. Providence Health System-Oregon.
The breach at issue occurred in 2005, when an employee left disks and tapes containing medical records for 365,000 patients in the employee’s car and those disks and tapes were stolen. Some of the records went back 20 years, and contained Social Security numbers and medical information. In 2006, the defendant settled with the Oregon Attorney General and agreed to pay credit monitoring costs to affected patients for two years and over $95,000 to the Attorney General. In 2007, the trial court granted the defendant’s motion to dismiss, taking into account that several plaintiffs had been at least partially compensated via the attorney general settlement, and holding that the plaintiffs’ claimed damages were premised on the risk of future injury rather than actual present harm.
Plaintiffs argued that they had suffered financial loss in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft. They also argued that they had suffered damages by the emotional distress caused by the theft of the records. The Supreme Court however found not only that there was no evidence that the plaintiffs had suffered any financial loss as a result of the breach, but also that there was no evidence that the records had ever been accessed or viewed. The Court also noted that its decision to dismiss the claims were in line with many other decision by courts in other jurisdictions, such as Pisciotta v. Old Nat. Bancorp out of the Seventh Circuit and Ruiz v. Gap from the Ninth Circuit.