Eldred v. Oregon Anesthesiology Group

347 Or. App. 169

• Court: Court of Appeals of Oregon
• Decided: February 19, 2026
• Docket: A180925
• Status: Published

Opinion

No. 105 February 19, 2026 169

IN THE COURT OF APPEALS OF THE STATE OF OREGON

Parke ELDRED, on his own behalf and on behalf of others similarly situated, Plaintiff-Appellant, v. OREGON ANESTHESIOLOGY GROUP, P. C., Defendant-Respondent. Multnomah County Circuit Court 22CV12671; A180925

Thomas M. Ryan, Judge. Argued and submitted December 5, 2024. Michael J. Laird, Minnesota, argued the cause for appellant. On the briefs were Bonner C. Walsh and Walsh LLC, Idaho; Brian C. Gudmundson, Rachel K. Tack and Zimmerman Reed LLP, Minnesota; and Jonathan S. Mann and Pittman, Dutton, Hellums, Bradley & Mann, P.C., Alabama. Spencer Persson, California, argued the cause for respon- dent. On the brief were Chris Swift, Kevin H. Kono, and Davis Wright Tremaine LLP. Before Shorr, Presiding Judge, Powers, Judge, and Pagán, Judge. SHORR, P. J. Affirmed. 170 Eldred v. Oregon Anesthesiology Group

SHORR, P. J. Plaintiff Parke Eldred, the representative of a puta- tive class of similarly situated individuals, appeals from a judgment of dismissal that dismissed his negligence and negligence per se claims. Plaintiff alleged that he and oth- ers were patients who had received anesthesiology services from defendant Oregon Anesthesiology Group, P.C. (OAG). He contended that he and the putative class suffered eco- nomic damages when hackers breached defendant’s lax security measures to obtain and use the patients’ personal information. Plaintiff asserted claims against defendant for negligence and negligence per se. The trial court, applying the economic loss doctrine, dismissed plaintiff’s two negli- gence claims, concluding, among other things, that plaintiff could not recover because he had not demonstrated a special relationship or other basis to give rise to defendant’s duty to protect against plaintiff’s purely economic losses. Plaintiff assigns error to that ruling.1 Applying our decision in Paul v. Providence Health System-Oregon, 237 Or App 584, 240 P3d 1110 (2010), aff’d on other grounds, 351 Or 587, 273 P3d 106 (2012) (Paul I), which plaintiff does not challenge and, indeed, contends was correctly decided, we conclude that the trial court did not err and affirm. We review a trial court’s decision to dismiss a com- plaint for failure to state a claim for legal error. Huang v. Claussen, 147 Or App 330, 332, 936 P2d 394, rev den, 325 Or 438 (1997). We accept as true the well-pleaded allegations and the reasonable inferences that can be drawn from them. Id. We state only the basic allegations necessary to under- stand the legal issue before us. As noted, plaintiff is a representative of a putative class of defendant’s former patients who provided defendant with personal information in connection with receiving defendant’s anesthesiology services. Plaintiff alleged that hackers breached and locked defendant OAG out of its com- puter servers by exploiting a vulnerability in a third-party 1 We discuss only plaintiff’s second assignment of error. Plaintiff’s other assignments assign error to the trial court’s decision to strike certain allegations and to dismiss the negligence-related claims on other grounds. We need not reach those other assignments, however, because our decision to reject plaintiff’s sec- ond assignment of error results in the affirmance of the judgment of dismissal. Cite as 347 Or App 169 (2026) 171

firewall. Plaintiff contended that the hackers obtained sen- sitive personal information regarding plaintiff and at least 750,000 other patients. Plaintiff contended that defendant waited approximately five months to disclose the breach. Plaintiff further contended that he suffered damages because, subsequent to the breach, intruders used his debit account information to make fraudulent purchases under his name. Plaintiff also contended that he and the class were at immediate and continuing risk of identity theft related harm for which they had to spend time and effort monitoring their accounts and credit information. Plaintiff alleged claims for negligence and negli- gence per se. He supplemented his common law negligence claims by asserting that defendant had a duty to the class to implement reasonable security measures due to both state and federal statutes, namely the Oregon Consumer Information Protection Act (CIPA), ORS 646A.622; the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996 and its implementing regulations; and section 5 of the Federal Trade Commission Act (FTCA), 15 USC § 45. He also alleged that, because he was both a patient and a person who provided personal protected infor- mation to defendant that it had promised to protect,2 he and defendant were in a special relationship by which defendant owed him and the class a duty of care. Defendant moved to dismiss, arguing among other things, that plaintiff’s negligence claims were barred by the economic loss doctrine and plaintiff’s inability to allege a special relationship or other duty to overcome that doctrine. As noted, the trial court agreed and dismissed plaintiff’s claims. Plaintiff assigns error to that ruling. To understand our opinion, we start with our deci- sion in Paul I, which has substantial factual overlap with this case. In Paul I, the plaintiffs were patients whose unencrypted medical records were stolen from the car of an employee of the defendant medical provider, Providence Health System-Oregon (Providence). 237 Or App at 586. The unencrypted records had been stored on disks and tapes and 2 Despite alleging that promise, plaintiff did not allege a breach of contract claim and does not rely on that theory on appeal. 172 Eldred v. Oregon Anesthesiology Group

then left in the employee’s car overnight. Id. The records included private information such as Social Security num- bers, addresses, phone numbers, and confidential patient information. Id. Approximately three-and-one-half weeks after the theft, the defendant Providence sent letters to each affected patient notifying them of the theft and advising them to take precautions. Id. at 586-87. The plaintiffs then filed a putative class action against Providence on behalf of them- selves and approximately 365,000 other affected patients. Id. The plaintiffs alleged, among other things, that Providence had “negligently failed to safeguard those records.” Id. at 586. They did not allege that they had yet been the victims of economic fraud or identity theft or that their information had been compromised beyond the initial theft. But they sought economic damages for past and future credit monitoring ser- vices to track their credit and identity records to monitor for the risk of identity theft and sought noneconomic damages for the impairment of access to credit and their emotional distress related to the loss of their records. Id. at 588. The trial court dismissed the negligence claim, concluding that the plaintiffs had failed to state a claim for negligence because the damages prayed for were not com- pensable under Oregon law. Id. at 588. We affirmed, but for a different reason. We noted that the plaintiffs had alleged purely economic loss without alleging “any injury to person or property.”3 Id. at 591. Applying Supreme Court case law and the economic loss doctrine, we concluded that in such a circumstance, “plaintiffs must, at the least, identify a duty that defendant owed them—beyond the common-law duty to exercise reasonable care—to guard against that economic harm.” Id. We noted that the existence of such a duty can arise from the nature of the parties’ relationship, such as when there is a “heightened duty of care” that exists such that “the party who owes the duty has a special responsibility toward the other party * * * because the party who is owed the duty effectively has authorized the party who owes the

3 We did note in Paul I that the plaintiffs had alleged emotional distress damages but resolved that issue on other bases. 237 Or App at 591. In this appeal, plaintiff does not contend that he has asserted losses for emotional distress that are relevant to the issues before us. Cite as 347 Or App 169 (2026) 173

duty to exercise independent judgment in the former par- ty’s behalf and in the former party’s interests.” Id. at 592 (emphasis in original). We rejected the plaintiffs’ negligence claim for purely economic loss because the “plain- tiffs here have failed to identify any such heightened duty of care to protect against economic harm arising out of the relationship between themselves as patients and defendant as a health care provider.” Id. Further, and significant to our opinion here, we con- cluded in Paul I that the plaintiffs’ reliance on Oregon and federal statutes and regulations protecting the confidenti- ality of patient information did not establish Providence’s duty to patients to protect against purely economic loss from a breach of the patients’ confidential health data. Id. at 592-93. In that case, the plaintiffs had cited, among other things, to former ORS 192.518(1)(a) (2003), renumbered as ORS 192.553(1)(a) (2011), which stated that “[i]t is the policy of the State of Oregon that an individual has [t]he right to have protected health information of the individual safeguarded from unlawful use or disclosure,” and former ORS 192.520 (2003), renumbered as ORS 192.558 (2011), governing the use and disclosure of that information. Id. at 593 n 4. The plaintiffs also cited 45 CFR § 164.306, which is authorized under the federal HIPAA. Id. HIPAA regu- lations protect, among other things, the confidentiality of electronic protected health information. Id. Addressing the plaintiffs’ reliance on those statutes and regulations, we concluded that “[a]lthough we agree that those statutes and rules establish standards of conduct, any violation of those standards does not give rise to a negligence per se claim for economic damages in the absence of a special relationship that protects against that type of injury.” Id. at 593. We con- cluded that the plaintiffs “failed to allege a legally sufficient claim for negligence as a result of the economic damages that they have allegedly incurred (or will incur) in protect- ing against the increased risk of identity theft that they face as a result of the theft of their medical records.” Id. The plaintiffs then sought and obtained review by the Supreme Court. Paul v. Providence Health System- Oregon, 351 Or 587, 273 P3d 106 (2012) (Paul II). The Supreme 174 Eldred v. Oregon Anesthesiology Group

Court affirmed, but, as it noted, its “analysis differ[ed] in some respects from that of the Court of Appeals.” Id. at 589. The court expressly stated that it would not decide whether the relationship between a medical provider and patients created a duty for the provider to protect the patients from purely economic loss resulting from the provider’s negligent treatment of personal patient data. Id. 593-94. Nor did the court address our conclusion that state and federal statutes and regulations did not, on their own, establish a duty of care or create that special relationship. Id. Rather, the court returned to the trial court’s original basis for dismissal and affirmed on that basis. The court concluded that the plain- tiffs had not alleged that the defendant’s negligence caused the plaintiffs’ actual harm from identity theft but had only created a risk of that harm and the need to incur expenses to monitor for potential identity theft. Id. Applying its deci- sion in Lowe v. Philip Morris USA, Inc., 344 Or 403, 183 P3d 181 (2008), the court concluded that such an allegation was insufficient to “allege actual, present injury caused by [the] defendant’s conduct.” Paul II, 351 Or at 594. The court reasoned, “[t]o the extent that plaintiffs seek damages for future harm to their credit or financial well-being, Lowe forecloses such a claim because the threat of future harm, by itself, is insufficient as an allegation of damage in the context of a negligence claim.” Id. (emphasis in original; internal quotation marks omit- ted). As noted, the court, by not deciding the issue, left undisturbed our conclusion that the plaintiffs’ claim also failed because it had not alleged a special relationship or other source of duty that the defendant Providence owed to the plaintiffs to protect them against those types of purely economic losses. With that background, we return to the arguments in this case. As observed earlier, plaintiff here does not claim that our decision in Paul I was wrongly decided. Rather, plaintiff contends that both Paul decisions are “entirely correct.” Plaintiff attempts to distinguish Paul I and con- tends that this case arises on a “significantly altered legal landscape.” Cite as 347 Or App 169 (2026) 175

First, plaintiff notes that the altered landscape includes our decision in JH Kelly, LLC v. Quality Plus Services, Inc., 305 Or App 565, 472 P3d 280 (2020). In that case, we reviewed the history of the economic loss doctrine and its application to common law negligence claims. We described the doctrine as requiring a “limiter” on claims that seek purely economic loss in negligence because of the risk of “unbounded litigation” if the only such “nominal logical limit” is foreseeability, which is “conceptually quite broad.” Id. at 572-74. We identified the traditional limiters to the economic loss doctrine to include instances where the plaintiff has suffered injury to person or property or there is a source of a duty beyond the common law, including the existence of a special relationship, a contract, a statute or ordinance in certain instances, or a court order. Id. at 574- 75. We further noted that “[n]o Oregon case, however, has sought to foreclose other potential limiters that might ren- der the economic loss rule inapplicable.” Id. at 575. In JH Kelly, LLC, a subcontractor, Quality Plus, had been hired to weld pipes at a large construction proj- ect at an Intel site. Id. at 567. The pipes were not properly welded and Quality Plus was sued. Id. at 570. Quality Plus, in turn, sued the manufacturer of the welding machine, Georg Fischer, LLC, and that company’s service provider, alleging they were negligent in the calibration of the welding machine that Quality Plus had used on the pipes at Intel. Id. A jury found in favor of Quality Plus on its negligence claim against Georg Fischer and the service provider. Id. Georg Fischer appealed, assigning error to the trial court’s denial of its motion for directed verdict on Quality Plus’s negligence claim. Id. at 571. Georg Fischer contended that the economic loss doctrine applied because Quality Plus sued in negli- gence, suffered purely economic loss, and had not suffered injury to its property, because the damaged pipes belonged to a third party. Id. at 576. We rejected that argument and concluded that there was damage to property and such dam- age fell within one of the established limiters on unbounded litigation, namely injury to person or property, which took the claim outside the economic loss doctrine. Id. at 577. We relied on existing case law, both in and outside Oregon, and concluded that “the concerns underlying the economic 176 Eldred v. Oregon Anesthesiology Group

loss doctrine are not implicated, because the focus of the claimed negligence is physical property that was damaged while in Quality Plus’s possession and control.” Id. Later we stated that “the pipes themselves—regardless of who owned them—provide the conceptual limiter that renders the prag- matic concerns over unbounded litigation that underlie the economic loss rule inapplicable to this case.” Id. at 578. Plaintiff contends that JH Kelly, LLC implicates this case for at least two reasons.4 The difficulty with that contention is that the reasons that plaintiff provides were insufficient for our court in Paul I to sustain those plaintiffs’ nearly identical negligence claim against a challenge under the economic loss doctrine. Plaintiff first contends that there is no concern of unbounded litigation because plaintiff’s claims and injuries are strictly limited as plaintiff and the class are a finite group of patients of defendant OAG. But the same was true in Paul I. In that case, the putative class was a group of 365,000 patients of Providence whose personal, medical, and financial information was stolen from the car of a Providence employee. That group was certainly large but also finite and limited in the same way present in this case. Here, while a class was not yet certified in this case, plaintiff alleged that “at least 750,000 other patients” had their sensi- tive data accessed in the cyberattack on OAG.5 Plaintiff next contends that the type of harm suf- fered here is exactly the type of harm expected from a data breach. To the extent that plaintiff is contending that their harm was foreseeable, foreseeability, alone, has not been a sufficient limiter to avoid the application of the economic loss doctrine in circumstances when a plaintiff seeks recov- ery for purely economic losses resulting from negligence. See Onita Pacific Corp. v. Trustees of Bronson, 315 Or 149, 165, 843 P2d 890 (1992) (explaining that “[f]oreseeability alone is not a sufficient basis to permit the recovery of economic 4 Plaintiff does not contend that JH Kelly, LLC overruled Paul I either expressly or by implication. We do not discern that it did either. 5 Ultimately, the size of the putative class or the amount of damages has no effect either way on the application of the economic loss doctrine. Whether a case involves an individual or a class, “liability for purely economic harm must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable harm.” Paul I, 237 Or App at 590. Cite as 347 Or App 169 (2026) 177

losses on a theory of negligence”); Roberts v. Feary, 162 Or App 546, 550, 986 P2d 690 (1999) (noting that a plaintiff cannot recover purely economic losses without relying on some duty outside the common law of negligence and stating that a plaintiff must first show the “existence” of that duty before foreseeability comes into play); see also JH Kelly, LLC, 305 Or App at 573-74 (noting that the economic loss doctrine emerged following concerns that while foreseeability princi- ples offer some “nominal logical limit,” its broad conceptual application led to the requirement that a plaintiff establish some limiter on the risk of unbounded litigation). Plaintiff’s argument is again inconsistent with Paul I. While Paul I has slightly different facts, those facts do not shed further light on any additional limiter that may apply here as an exception to the economic loss doctrine. In Paul I, patients entrusted their medical, financial, and personal data to a large medical provider, Providence, and alleged that the provider’s employee was negligent in storing unen- crypted computer disks and tapes of patient records in the employee’s car. Here, patients entrusted identical informa- tion to OAG and plaintiff alleged that OAG failed to imple- ment reasonable data security, which allowed hackers to access encrypted patient data. Although the allegations of carelessness appear far worse in Paul I and arise from improper storage of data in a car rather than on a server, the essential allegations are the same, that patients entrusted personal information to medical providers and the providers were negligent in not protecting it from theft. There is noth- ing different about the claims in Paul I that implicates the application of the economic loss doctrine. Plaintiff further contends that the economic loss doctrine does not apply because defendant OAG owes plain- tiff a heightened duty of care. Plaintiff contends that a source of that duty includes Oregon’s recently passed CIPA and section 5 of the FTCA. Broadly speaking, CIPA provides protections to consumers by imposing duties on certain enti- ties’ handling of a consumer’s personal information; sets out steps that the covered entities must take to safeguard that information; and directs action, such as consumer-notifica- tion requirements, when those entities are subject to security 178 Eldred v. Oregon Anesthesiology Group

breaches that expose consumers’ personal information. ORS 646A.602; ORS 646A.604; ORS 646A.620; ORS 646A.622. Section 5 of the FTCA declares unlawful, among other things, “[u]nfair * * * practices in or affecting commerce.” 15 USC § 45(a)(1). Some federal courts have held that a com- pany’s failure to maintain reasonable and appropriate data security measures can constitute an unfair practice under section 5. See, e.g., F.T.C. v. Wyndham Worldwide Corp., 799 F3d 236, 247 (3d Cir 2015). We again conclude that Paul I controls. As discussed, in that case, the plaintiffs maintained that HIPAA and other Oregon statutes protected the confidentiality of health information and, thus, provided a heightened duty of care to protect against economic harm arising out of the relation- ship between the plaintiffs-patients and defendant-medical provider. In Paul I, we concluded that although HIPAA and other state laws “establish standards of conduct, any viola- tion of those standards does not give rise to a negligence per se claim for economic damages in the absence of a special relationship that protects against that type of injury.” 237 Or App at 593.6 Plaintiff has not demonstrated that CIPA or section 5 of the FTCA operate on this case in a differ- ent manner or change the analysis in Paul I. Indeed, one way that a health care provider can demonstrate compliance with the requirements in Oregon’s CIPA is to demonstrate that the provider was already complying with the federally

6 Earlier in that opinion, we stated that the distinction between the negli- gence and negligence per se claims “ha[d] limited bearing on our analysis” and noted that negligence per se is not a distinct cause of action but simply a negli- gence claim based on violation of a standard of care set out by statute or rule. Paul I, 237 Or App at 589. Although Paul I did not expressly address the issue, because it concluded that similar statutes did not create a duty supporting any negligence claim, we note that CIPA and section 5 of the FTCA do not create private rights of action but only allow governmental entities to sue for violations. See ORS 646A.604(11) (a) (providing that a “person’s violation of a provision of [CIPA] is an unlawful practice under ORS 646.607” of the Unlawful Trade Practices Act (UTPA)); ORS 646.638 (providing for a private cause of action for a violation of ORS 646.608 of the UTPA but not including ORS 646.607); ORS 646.632 (providing that a prosecuting attorney may sue for violations of the UTPA in the name of the State of Oregon); 15 USC § 45(a), (b) (providing, among other things, that the Federal Trade Commission (FTC) is empowered to prevent certain persons and entities from using unfair or deceptive acts in or affecting commerce and granting the FTC remedies, including to seek restitution for victims). Cite as 347 Or App 169 (2026) 179

imposed requirements in HIPAA to the extent that it pro- tects the same information. See ORS 646A.622(2)(c) (stating that a covered entity provides reasonable safeguards to pro- tect personal information protected by CIPA if it complies with the regulations that implement HIPAA to the extent that it protects the same information). Paul I concluded that a special relationship, beyond the general duty to protect consumer information imposed by state and federal consumer statutes, was necessary to state a common law negligence claim. 237 Or App at 593. It also concluded that the relationship between a health care provider and a patient did not give rise to a special relationship for the provider to protect against the type of economic loss at issue there, the loss of protected personal health care or financial information, which is the same loss at issue here. Id. at 592. Plaintiff tries to distinguish Paul I and contends that its reasoning does not apply here, but ultimately states that it was correctly decided. Given that framing, we reject plaintiff’s argument because Paul I is not meaningfully distinguishable and controls the outcome of this case. Finally, plaintiff contends that the fact that third parties targeted, obtained, and misused his data, resulting in harm, further supports finding that defendant owed a duty. But that argument goes to the issue addressed in Paul II, whether the plaintiffs had alleged that the defendant had caused actual harm as opposed to the risk of loss. 351 Or at 593. It does not support plaintiff’s contention that defendant owed a duty to protect plaintiff against purely economic loss. In sum, we reject plaintiff’s second assignment of error and conclude that the trial court did not err in apply- ing the economic loss doctrine as applied in Paul I and then granting defendant’s motion to dismiss plaintiff’s negligence and negligence per se claims. As a result of that conclusion, we need not reach plaintiff’s other assignments of error that challenge other aspects of the trial court’s dismissal of those same claims or its striking of certain underlying allegations. Affirmed.