FILED OCTOBER 31, 2024 In the Office of the Clerk of Court WA State Court of Appeals, Division III
IN THE COURT OF APPEALS OF THE STATE OF WASHINGTON DIVISION THREE
SARAH NUNLEY AND MICHELLE ) SLATER, INDIVIDUALLY AND ON ) No. 39571-5-III BEHALF OF ALL OTHERS ) SIMILARLY SITUATED, ) ) Appellant, ) ) PUBLISHED OPINION v. ) ) CHELAN-DOUGLAS HEALTH ) DISTRICT A WASHINGTON ) MUNICIPAL CORPORATION, AND ) DOES 1-10, INCLUSIVE, ) ) Respondent. )
STAAB, A.C.J. — After hackers accessed personal records in a cyberattack on
Chelan-Douglas Health District’s (Health District) network, Sarah Nunley and Michelle
Slater1 filed suit claiming the Health District was negligent in gathering, storing, and
securing their personal information. The Health District moved to dismiss under CR
12(b)(6), raising two issues. First, the Health District argued that it did not owe the
Plaintiffs a duty of care since any injury was caused by the criminal acts of third parties.
Second, the Health District asserted that the Plaintiffs had failed to allege a cognizable
1 For purposes of clarity, we will use “Plaintiffs” to refer to Nunley and Slater collectively, and use their specific names when referring to them individually. No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
injury as a necessary element of their claim for negligence. The superior court granted
the Health District’s motion and the Plaintiffs appeal.
We reverse. We hold that companies that collect and store personal identifiable
information (PII) and personal health information (PHI) have a duty to use reasonable
care in collecting and storing the information. This duty includes taking reasonable steps
to prevent unauthorized access and disclosure of the information.
We also hold that the Plaintiffs have asserted cognizable injuries at this
preliminary stage. The Plaintiffs contend that the Health District breached its duty by
failing to use ordinary care in securing their personal identification and as a result, the
Plaintiffs’ personal information was stolen. According to the facts alleged by the
Plaintiffs, they are current victims of identity theft as opposed to future or potential
victims of identity theft. They allege existing loss in the form of mental distress and
inconvenience as well as the loss in value of their personal identity. Under the deferential
standard of pleadings, the allegations are sufficient to assert a current loss, and it is
possible that the plaintiffs will be able to prove these damages.
We reverse the superior court’s order dismissing the Plaintiffs’ claim of
negligence and remand for further proceedings.
2 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
BACKGROUND2
The Health District provides various health services in Chelan and Douglas
Counties. To perform its services, it collected, stored, managed, and transmitted
plaintiffs’ PII and PHI such as full names, Social Security numbers, dates of birth,
financial account information, medical treatment/diagnosis information, medical records
or patient numbers, and/or health insurance policy information.
Beginning in 2020, the Health District was made aware that the PII and PHI it
collected and stored were vulnerable to a data breach and that its security protocols were
inadequate. Despite this warning, the Health District did not improve its security
protocols and failed to hire internal or external information technology (IT) personnel to
address the vulnerabilities. In January of the following year, the Health District
identified “several issues” with its IT infrastructure and assigned its “Incident
Management Team” to work on improvements. “In early May 2021, FBI[3] agents
contacted [the Health District] to warn them of an impending cyber-attack.” Clerk’s
Papers (CP) at 11. Between May 10 and May 14, hackers attempted two separate attacks
on the Health District’s systems. During this same timeframe, the Health District was
2 In considering a motion to dismiss under CR 12(b)(6), the court presumes the allegations set forth in the complaint are true. The following facts are taken from the Plaintiffs’ complaint. 3 Federal Bureau of Investigation.
3 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
also the target of an email phishing attack. Following these attempted attacks, the Health
District did not improve its security measures.
Between July 2 and July 4, the Health District’s network was subject to a data
breach. During the investigation of this breach, it was revealed that Plaintiffs’ PII and
PHI had been removed from its network in connection with the breach. The attorney
general’s report stated the information removed included “full names, Social Security
numbers, dates of birth/death, financial account information, medical treatment/diagnosis
information, medical records or patient numbers, and/or health insurance policy
information.” CP at 11. Approximately 108,906 individuals in Washington State were
affected by this data breach.
Nunley, a patient at the Health District, was one of the individuals who received a
notice in March 2022 stating her PII and PHI were exposed in the data breach. Before
the data breach, she supplied her full name, date of birth, address, and telephone number
to the Health District. In addition, the Health District had access to her medical
information such as treatment/diagnosis information, medical record number or patient
number, and health insurance policy information. Nunley received a notice that stated
“certain identifiable personal and protected health information, including your full name
and one or more of the following may have been removed from our network in
connection with this incident: Medical Information (Treatment/Diagnosis Information,
Medical Record or Patient Number, and/or Health Insurance Policy Information), [and]
4 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
Date of Birth.” CP at 57. The notice Nunley received did not state her Social Security
number was compromised.
Nunley alleges that she experienced a substantial uptick in the number and
frequency of spam telephone calls related to medical services as well as spam emails.
Some of these calls included a person impersonating a representative at the Health
District attempting to gain access to additional information. In addition, she was notified,
in March 2022, by her credit monitoring service of two instances of her Social Security
number appearing on the dark web, as well as her expired personal identification issued
by Washington State. She was also notified of two “soft pulls” of her credit by Goldman
Sachs.
Following the data breach, Nunley alleges she spent time and effort mitigating the
data breach such as researching it, reviewing credit reports, creditor monitoring,
researching credit services offered by the Health District, dealing with unwanted spam
calls, and she claims an unauthorized business license was opened in her name. Nunley
claims she has spent at least five hours dealing with the data breach. In addition to her
time and effort, Nunley alleges she has suffered emotional distress due to the release of
this information.
Slater, another individual affected by the data breach, received the exact same
notice as Nunley, stating her PII and PHI were exposed in the data breach despite her
having no known relationship with the Health District. She alleges she made reasonable
5 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
efforts to mitigate the data breach such as researching it, reviewing credit reports, credit
monitoring, and reviewing financial account statements for any indication of attempted
identity theft.
Nunley and Slater both allege actual injury in the form of damage and diminution
in the value of their PII and PHI as well as the present, imminent, and impending injury
arising from the increased risk of fraud. As a result of this breach, they both anticipate
spending considerable time and money attempting to mitigate and address these harms.
Nunley brought this class action for negligence on behalf of herself, Slater, and
other Washington residents whose PII and PHI was disclosed by the Health District
during the data breach. The Health District filed a CR 12(b)(6) motion to dismiss,
arguing Plaintiffs failed to allege a duty was owed and that they did not plead cognizable
damages. After hearing the issue, the court eventually entered an order granting the
motion to dismiss with prejudice for failure to state a claim upon which relief could be
granted. Nunley and Slater appeal the trial court’s order.
ANALYSIS
We must decide two issues in this appeal. First, whether under the facts alleged in
the complaint, the Health District could have a duty to protect the Plaintiffs’ personal
information from being wrongly obtained by third parties. Second, whether the Plaintiffs
have alleged a cognizable injury sufficient to support its cause of action for negligence
when they do not claim any out-of-pocket expenses, but do claim loss of time attempting
6 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
to mitigate the effects of the data breach, mental distress over concerns that their identity
will be misused, and loss of value of their personal information.
1. STANDARD OF REVIEW
Appellate courts review an order granting a CR 12(b)(6) motion to dismiss de
novo. Jackson v. Quality Loan Serv. Corp., 186 Wn. App. 838, 843, 347 P.3d 487
(2015). Dismissal is appropriate where a plaintiff is unable to “prove any set of facts
consistent with the complaint that would entitle the plaintiff to relief.” Id. All facts
alleged in the “complaint are presumed true,” but an appellate court is not required to
accept the complaint’s legal conclusions. Id. “‘[A]ny hypothetical situation conceivably
raised by the complaint defeats a CR 12(b)(6) motion if it is legally sufficient to support
the plaintiff’s claim.’” Id. at 843 (quoting Bravo v. Dolsen Co., 125 Wn.2d 745, 750,
888 P.2d 147 (1995)). However, “‘[i]f a plaintiff’s claim [still] remains legally
insufficient . . . under . . . [the] hypothetical facts, dismissal pursuant to CR 12(b)(6) is
appropriate.’” Id. at 843-44 (quoting Gorman v. Gerlock, Inc., 155 Wn.2d 198, 215, 118
P.3d 311 (2005)).
“‘A cause of action for negligence’” accrues when a plaintiff demonstrates “‘(1)
the existence of a duty owed, (2) breach of that duty, (3) a resulting injury, and (4) a
proximate cause between the breach and the injury.’” Pitoitua v. Gaube, 28 Wn. App. 2d
141, 151, 534 P.3d 882 (2023) (quoting Tincani v. Inland Empire Zoological Soc’y, 124
Wn.2d 121, 127-28, 875 P.2d 621 (1994)). Although the court’s order does not specify
7 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
its reason for dismissing the claim, the proffered argument by the Health District in
support of dismissal related to the elements of duty and damages will be evaluated in
turn.
2. DUTY OF CARE
Plaintiffs contend that the Health District had a duty to exercise reasonable care to
protect their PII and PHI from the foreseeable acts of third parties. They maintain that
this duty arises from the Health District’s actions of collecting, storing, and maintaining
large amounts of valuable personal information on its network. The Health District
argues that it had no duty to protect the Plaintiffs’ PII and PHI from the criminal acts of
third persons and the failure to implement procedures to mitigate the risk of cyberattacks
did not create a duty because the Health District did not facilitate the attack or
affirmatively act.
A duty of care is “‘an obligation, to which the law will give recognition and
effect, to conform to a particular standard of conduct toward another.’” Centurion
Props. III, LLC v. Chi. Title Ins. Co., 186 Wn.2d 58, 64, 375 P.3d 651 (2016) (internal
quotation marks omitted) (quoting Certification from the United States Court of Appeals
v. LTK Consulting Servs., Inc., 170 Wn.2d 442, 449, 243 P.3d 521 (2010)). The
determination of whether a duty exists is a question of law that this court reviews de
novo. See Munich v. Skagit Emergency Commc’n Ctr., 175 Wn.2d 871, 877, 288 P.3d
328 (2012). In determining whether a duty exists, we consider principles reflected in
8 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
existing law as well as “‘logic, common sense, justice, policy, and precedent.’”
Stalter v. State, 151 Wn.2d 148, 155, 86 P.3d 1159 (2004) (internal quotation marks
omitted) (quoting Keates v. City of Vancouver, 73 Wn. App. 257, 265, 869 P.2d 88
(1994)); see Barlow v. State, No. 101045-1, slip op. at 5 (Wash. Jan. 4, 2024),
https://www.courts.wa.gov/opinions/pdf/1010451.pdf.
We first consider the principles in existing law. Under the Restatement of Torts,
actors have a duty to exercise reasonable care to avoid the foreseeable consequences of
their own actions. RESTATEMENT (SECOND) OF TORTS § 281 reporter’s note cmts. c, d
(AM. L. INST. 1965). This “‘encompasses the duty to refrain from directly causing harm
to another through affirmative acts of misfeasance.’” Pitoitua, 28 Wn. App. 2d at 153.
On the other hand, nonfeasance is characterized by “‘passive inaction or failure to take
steps to protect others from harm.’” Robb v. City of Seattle, 176 Wn.2d 427, 437, 295
P.3d 212 (2013) (quoting Lewis v. Krussel, 101 Wn. App. 178, 184, 2 P.3d 486 (2000)).
The “distinction between ‘acts’ and ‘omissions’” is important because liability will
typically not be imposed for the latter. Brown v. MacPherson’s, Inc., 86 Wn.2d 293, 300,
545 P.2d 13 (1975).
An actor’s “duty to exercise reasonable care to avoid the foreseeable consequences
of their acts” includes the duty “to avoid exposing another to harm from the foreseeable
conduct of a third party.” Washburn v. City of Fed. Way, 178 Wn.2d 732, 757, 310 P.3d
1275 (2013). Because the criminal conduct of third parties is usually not foreseeable,
9 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
“there is generally no duty to prevent third parties from causing criminal harm to others.”
Id. This general rule is subject to exceptions. Criminal conduct is not per se
unforeseeable. Id.
The Plaintiffs argue that one of these exceptions applies in this case. In limited
circumstances “[a]n act or an omission may be negligent if the actor realizes or should
realize that it involves an unreasonable risk of harm to another through the conduct of the
other or a third person which is intended to cause harm, even though such conduct is
criminal.” RESTATEMENT (SECOND) § 302B. Comment e further explains:
There are, however, situations in which the actor, as a reasonable man, is required to anticipate and guard against the intentional, or even criminal, misconduct of others. In general, these situations arise where the actor is under a special responsibility toward the one who suffers the harm, which includes the duty to protect him against such intentional misconduct; or where the actor’s own affirmative act has created or exposed the other to a recognizable high degree of risk of harm through such misconduct, which a reasonable man would take into account.
(Emphasis added.)
Washington has adopted this Restatement and three cases demonstrate its
application. The first case to find a duty to protect a third party absent a special
relationship was Parrilla v. King County, 138 Wn. App. 427, 157 P.3d 879 (2007).
There, the court found that King County owed a duty of care after a bus driver exited his
bus with the engine running leaving a visibly erratic passenger on board who then drove
the bus away injuring the plaintiff. Parrilla, 138 Wn. App. at 430, 433.
10 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
The Parrilla court recognized the rule that criminal conduct is generally not
foreseeable, but noted that “if a third party’s criminal conduct is reasonably foreseeable,
an actor may have a duty to avoid actions that expose another to that misconduct.”
Parrilla, 138 Wn. App. at 437. Thus, the court held that under Restatement (Second)
302B a duty to “guard against a third party’s foreseeable criminal conduct exists where
an actor’s own affirmative act has created or exposed another to a recognizable high
degree of risk of harm through such misconduct, which a reasonable person would have
taken into account.” Parrilla, 138 Wn. App. at 439.
Applying this rule to the circumstances of the Parrilla case, the court found that
the plaintiff alleged that the driver acted affirmatively when he left a bus with the engine
running and an unstable and volatile passenger on board. Id. at 438. The driver acted
with knowledge of these peculiar conditions, and an “affirmative act created a high
degree [of] risk” of intentional “misconduct, which a reasonable person would have taken
into account.” Id. at 441. Based on these facts, “King County owed a duty of care to the
Parrillas” who were injured when the unstable passenger commandeered the bus. Id.
The Restatement was next applied by our Supreme Court in Robb v. City of
Seattle, 176 Wn.2d 427. There, the defendant shot Robb “using a stolen shotgun loaded
with two shells.” Id. at 430. “Less than two hours before the shooting, officers . . .
stopped [the defendant] and his companion . . . on suspicion of burglary. . . . During the
stop, the officers observed three to five shotgun shells on the ground,” but failed to
11 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
question either individual “about the shells nor picked them up.” Id. When the officers
could not establish probable cause to arrest, they released the defendant. Id. After this
incident, a witness noticed the defendant returned to the scene, picked something up off
the ground, and then shot Robb. Id. The issue was whether the acts of the officers were
considered affirmative acts or more appropriately considered an omission or a failure to
act. Id. at 432.
In finding that this was a case of an omission or nonfeasance, the court held that
the officers “did not affirmatively create a new risk when they stopped [the defendant]
and failed to pick up the nearby shells.” Id. at 437. “The officers did not provide the
[shotgun] shells, nor did they give [the defendant] the shotgun he used to kill Robb,” and
therefore, the officers only “failed to remove a risk when they did not remove the shells.”
Id. at 437-38. Whether the officers stopped the defendant or not, he would have
presented the same risk. Id. at 438. Put simply, “the situation of peril . . . existed before
law enforcement stopped [the defendant], and the danger was unchanged by the officers’
actions.” Id. “Because [the officers] did not make the risk any worse, their failure to
pick up the shells was [more appropriately characterized as] an omission, not an
affirmative act.” Id.
Finally, in Washburn, the court considered whether the city owed a duty to the
decedent who died at the hands of her boyfriend after he was served by police with a
protection order. 178 Wn.2d 732. The court noted that police were aware of information
12 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
making it reasonably foreseeable that the boyfriend would react violently to being served
with the protection order. Id. at 759. In addition, the officer knew that he was serving
the boyfriend at the decedent’s home with the decedent present, but instead of insuring
her safety the officer walked away after serving the order, leaving the boyfriend at the
house with the decedent. Id. at 761. The court found that under these circumstances, the
officer’s act of serving the protection order on the boyfriend was an affirmative act that
created a new and foreseeable risk that the boyfriend would respond violently, and the
officer had a duty to eliminate or reduce this risk. Id. at 760.
The Washburn court rejected the city’s characterization of its participation as
nonfeasance—the failure to act—even though the plaintiff produced evidence that the
officer failed to take steps to ensure the decedent’s safety. Instead, the court recognized
that these were simply examples of ways in which the officer improperly served the
order. Id. at 760-61.
In the case before us, the Plaintiffs allege that the Health District’s act of
collecting, retaining, and storing the Plaintiffs’ PII and PHI constitutes an affirmative act
that created a high degree of risk that third parties would attempt to obtain the personal
information. Assuming the Plaintiffs can prove these allegations, we agree that they are
sufficient to create a duty upon the Health District to use ordinary care in the collection
and storage of the Plaintiffs’ personal information.
13 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
By collecting numerous records of sensitive data and storing them on network
systems that the Health District maintained, the Health District created a new and greater
risk that criminals would come after the personal information. Personal information has
value. And while its value in singular form may not be enough to create a target for
hackers, when the single record is collected and stored with hundreds or thousands of
other personal records on a single network, the benefit of hacking a system to obtain
these records rises exponentially. By gathering individual records and storing them
collectively on a network, the Health District took affirmative steps that created a high
degree of risk.
Two of the illustrations provided in Restatement (Second) 302B comt. e(H)
support our conclusion. The illustrations provide that a duty may arise “[w]here the actor
acts with knowledge of peculiar conditions which create a high degree of risk of
intentional misconduct,” or “[w]here property of which the actor has possession or
control affords a peculiar temptation or opportunity for intentional interference likely to
cause harm.” RESTATEMENTS (SECOND) 302B cmt. e(H), (G). Here, it is alleged that the
Health District possessed and controlled the personal information records of the
Plaintiffs, and had specific knowledge that its system was being targeted by cyber
criminals who would be attempting to gain access to these confidential records. See Tae
Kim v. Budget Rent A Car Sys., Inc., 143 Wn.2d 190, 198, 15 P.3d 1283 (2001) (noting
that “‘[i]t would be unjust to require one to anticipate that a crime will be committed
14 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
unless there has been a warning’” (emphasis added) (internal quotation marks omitted)
(quoting W. PAGE KEETON ET AL., PROSSER AND KEETON ON THE LAW OF TORTS § 33
n.78, at 201 (5th ed. 1984)).
The Health District maintains that the Plaintiffs are alleging nonfeasance instead
of misfeasance. In support of this position, the Health District points to the Plaintiffs’
allegations that the Health District failed to take steps to protect the records. But similar
to the Supreme Court’s analysis in Washburn, the Plaintiffs’ allegations highlight ways in
which the Health District improperly stored and secured the personal information.
Imposing a duty on companies that collect and store PII and PHI to use reasonable
care is supported not only by the Restatements and our existing case law, but it is also
supported by policies already established in Washington.
Washington has a strong public policy of protecting people from identity theft.
The legislative findings supporting the penal statute declare that a person’s “means of
identification and financial information are personal and sensitive information such that if
unlawfully obtained, possessed, used, or transferred by others may result in significant
harm to a person’s privacy, financial security, and other interests.” RCW 9.35.001(1).
In the civil arena, businesses are required to notify any resident whose unencrypted
personal information “was, or is reasonably believed to have been, acquired by an
unauthorized person.” RCW 19.255.010(1), (2); RCW 42.56.590(1), (2). The chapter
15 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
provides that consumers who are injured by a business’s failure to comply with the notice
requirement have a cause of action to recover damages. RCW 19.255.040(3)(a).
There are numerous other examples of Washington’s policy on preventing identity
theft and the corresponding requirements on entities that collect this information. See
Wash. Pub. Emps. Ass’n v. Wash. State Ctr. for Childhood Deafness & Hr’g Loss, 194
Wn.2d 484, 501, 497, 450 P.3d 601 (2019) (recognizing that “preventing identity theft
and the misuse of personal information is an important policy objective”; “No
Washington case has ever held that employee birth dates associated with names are
private.”); RCW 46.22.010(2) (imposing an affirmative duty on data recipients from the
department of licensing “to take all reasonable actions necessary to prevent the
unauthorized disclosure and misuse of personal or identity information”).
We hold that the Health District owed the Plaintiffs a duty to use reasonable care
in the collection and storing of their PII and PHI, and this duty includes taking reasonable
steps to prevent unauthorized access and disclosure of the information.
3. COGNIZABLE INJURY
Alternatively, the Health District contends that dismissal for failure to state a
claim was proper because the Plaintiffs have failed to allege injuries that are recoverable
under a claim of negligence. The Plaintiffs allege that their identity has been stolen and
as a result they have suffered harm in the form of (1) increased risk of monetary loss due
to misuse of their identity, (2) fear that their PII and PHI will be misused to commit
16 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
fraud, (3) time and effort spent monitoring their identity and mitigating the risk of
misuse, and (4) a decrease in the value of their identity. The Health District responds that
the Plaintiffs are largely claiming “an injury they have not suffered and may never suffer:
identity theft.” Br. of Resp’t at 16.
As we noted above, a resulting injury is one of the elements of negligence.
Pitoitua, 28 Wn. App. 2d at 151. A cause of action for negligence does not accrue until
the plaintiff has suffered actual loss or damages. Gazija v. Nicholas Jerns Co., 86 Wn.2d
215, 219, 543 P.2d 338 (1975).
For purposes of clarity, we use the definition of the terms “injury,” “harm,” and
“damages,” as provided in the Restatements. Our reference to “injury” denotes “the
invasion of any legally protected interest.” RESTATEMENT (SECOND) § 7(1). “Harm,” on
the other hand, is broader and “denote[s] the existence of loss or detriment in fact of any
kind to a person resulting from any cause.” RESTATEMENT (SECOND) § 7(2). Finally,
“damages” refers to an award from a court to compensate for a legal wrong.
RESTATEMENT (SECOND) § 902. “Damages flow from an injury.” RESTATEMENT
(SECOND) § 902 cmt. a; see also Lavington v. Hillier, 22 Wn. App. 2d 134, 149, 510 P.3d
373 (2022); Huff v. Roach, 125 Wn. App. 724, 729, 106 P.3d 268 (2005); Lavigne v.
Chase, Haskell, Hayes & Kalamon, PS, 112 Wn. App. 677, 684, 50 P.3d 306 (2002).
As a preliminary matter, we note that the Health District relies in large part on
federal cases to support its position that the types of damages alleged by the Plaintiffs are
17 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
not recoverable in a claim of negligence. While these federal cases are informative, they
are not directly on point. Most of them address whether plaintiffs have alleged an injury-
in-fact for purposes of establishing standing under article III of the Unites States
Constitution. For the most part, these cases are not addressing the elements of negligence
under Washington law. To the extent that the analysis for determining standing is similar
to the analysis for determining whether a cognizable injury has been alleged, we note that
Washington has not adopted the heightened “plausibility” pleading standard required to
prove standing in federal court. McCurry v. Chevy Chase Bank, FSB, 169 Wn.2d 96,
102-03, 233 P.3d 861 (2010). Instead, we must consider the issue under the state civil
rule, which provides that a complaint should not be dismissed so long as it is possible the
plaintiffs could establish facts to support their claim. Id. at 101; CR 12(b)(6).
Here, it is possible that the Plaintiffs will be able to prove that they are victims of
identity theft and that they have been injured. Our legislature has defined the crime of
identity theft to occur when a person’s means of identification is taken or possessed by
someone with the intent to commit any crime. RCW 9.35.020(1). The crime of second
degree identity theft does not require proof that a defendant misused the identity of
another. State v. Sells, 166 Wn. App. 918, 926, 271 P.3d 952 (2012). Possession with
intent is enough.
A “victim” of identity theft includes “a person whose means of identification . . .
has been used or transferred with the intent to commit . . . any unlawful activity.” RCW
18 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
9.35.005(6). There are several alternative ways to define a person’s “means of
identification,” including possession of the person’s name, telephone number, email
address or an identifier of the individual or their family member. RCW 9.35.005(3).
While a person’s “means of identification” may include their Social Security number, a
person’s identity can be stolen even when their Social Security number is not included in
the information taken.4 Sells, 166 Wn. App. at 924. Finally, a person who steals
another’s identity is liable for damages in the amount of $1,000 or actual damages,
whichever is greater. RCW 9.35.020(7).
The Plaintiffs allege that their PII and PHI was taken by hackers from the Health
District’s system. The information taken can qualify as the Plaintiffs’ means of
identification. We can assume that the hackers took the information with the intent to use
it for illegal purposes. As defined by Washington’s criminal statute, the Plaintiffs have
alleged that their identity has already been stolen. Thus, the Plaintiffs have alleged a
current injury because they have alleged the invasion of a legally protected interest. For
this reason, we disagree with the Health District that the Plaintiffs are alleging only the
potential for future identity theft.
4 In deciding a CR 12(b)(6) motion, a court is to consider all conceivable facts in support of the plaintiffs’ allegations, including hypothetical facts. Gorman v. Garlock, Inc. 121 Wn. App. 530, 538, 89 P.3d 302 (2004). This is true even if the facts are presented for the first time on appeal. Id. Therefore, although Nunley did not specifically allege she provided Health District with her Social Security number in the complaint, we may assume this fact because she has presented it on appeal.
19 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
Nonetheless, injury and damages do not always occur simultaneously and a
plaintiff’s claim for negligence does not accrue until there has been an actual loss.
Gazija, 86 Wn.2d at 219-20. “The mere danger of future harm, unaccompanied by
present damage, will not support a negligence action.” Id. at 219. Given this rule, the
more succinct question in this case is whether the Plaintiffs have alleged a current harm
from having their identity stolen when there are no allegations that they have suffered any
out-of-pocket losses as a result of the injury. We consider the types of harm alleged by
the Plaintiffs below.
Fear and Inconvenience
We first consider whether the Plaintiffs could recover for increased anxiety due to
the possibility that someone will use their stolen identity to commit fraud as well as the
time they spent monitoring their credit and mitigating the potential risk.
Damages for mental anguish, pain, and suffering, are available in a claim of
negligence when a plaintiff has suffered physical injury. Schmidt v. Coogan, 181 Wn.2d
661, 673, 335 P.3d 424 (2014). In cases where physical injury is also alleged, courts
have allowed plaintiffs to recover for anxiety over the fear that the future injury will
manifest. “Our courts long have recognized that a plaintiff may recover for anxiety,
arising from a current reasonable fear of future injury or illness, and resulting from an
injury caused by the defendant.” Sorenson v. Raymark Indus., Inc., 51 Wn. App. 954,
958, 756 P.2d 740 (1988). Thus, a plaintiff who was exposed to asbestos could recover
20 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
for the anxiety he suffered before developing asbestosis because he was aware of the
possibility of contracting cancer from the exposure. Id. A plaintiff who drank from a
bottle containing shards of glass, and was told that future surgery may be needed, could
recover for the fear this engendered. Brown v. Coca-Cola Bottling, Inc., 54 Wn.2d 665,
668-69, 344 P.2d 207 (1959). After establishing that a hospital had improperly placed a
catheter in his arm, a plaintiff could recover for mental anxiety based on the fear that the
catheter could slip into his cardiovascular system. Dickerson v. St. Peter’s Hosp., 72
Wn.2d 196, 432 P.2d 293 (1967). In this case, however, the Plaintiffs are not alleging
physical injury.
Damages for inconvenience, discomfort and mental anguish are available for
intentional torts. See Thorley v. Nowlin, 29 Wn. App. 2d 610, 624, 542 P.3d 137 (2024)
(noneconomic damages available for intentional interference with a plaintiff’s property
interests); Brower v. Ackerley, 88 Wn. App. 87, 98, 943 P.2d 1141 (1997) (emotional
distress damages are available for the intentional tort of outrage); see Lavington, 22 Wn.
App. 2d at 152 (“general rule is that a plaintiff can recover damages for emotional
distress resulting from an intentional tort like trespass”). But again, the Plaintiffs here are
not alleging an intentional tort.
“When emotional distress is the sole damage resulting from negligent acts, our
court is cautious in awarding damages.” Schmidt, 181 Wn.2d at 671. Whether such
21 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
damages are available depends in part on whether the plaintiff and defendant had a
preexisting relationship. Price v. State, 114 Wn. App. 65, 71, 57 P.3d 639 (2002).
If the parties lacked a preexisting relationship, and the defendant's breach was negligent rather than intentional, emotional distress damages are available only if the plaintiff proves “objective symptomatology.” If the parties had a preexisting relationship, the availability of emotional distress damages turns generally on the characteristics of the particular relationship. If the relationship was primarily economic, emotional distress damages may not be available. If the relationship was not primarily economic, emotional distress damages may be available.
Id. (citations omitted).
Noneconomic damages may also be awarded when a plaintiff was a bystander
within the zone of danger. Repin v. State, 198 Wn. App. 243, 259-60, 392 P.3d 1174
(2017). Alternatively, plaintiffs can plead and prove theories of liability that allow for
emotional distress damages without physical injury. See Bylsma v. Burger King Corp.,
176 Wn.2d 555, 293 P.3d 1168 (2013); Schmidt, 181 Wn.2d 671-72 (citing examples
where emotional distress damages are recoverable in the absence of physical damages,
including wrongful discharge in violation of public policy, violation of the Washington
Law Against Discrimination, ch. 49.60 RCW; medical malpractice, ch. 7.70 RCW, for
the unauthorized disclosure of confidential information, breach of professional duty by a
day care provider, wrongful adoption, and attorney malpractice).
At the complaint stage of the proceedings, plaintiffs are not required to allege the
factors that might determine if emotional distress damages are available. Here, the
22 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
Plaintiffs have not alleged a physical injury or an intentional tort, but they have alleged
an injury: that their PII and PHI were misappropriated. Conceivably, they could produce
evidence to support an award of damages for inconvenience and emotional distress under
one of the scenarios outlined in Price. Thus, at this early stage in the case, the request for
emotional distress damages is sufficient to allege a cognizable injury to support a
negligence claim.
Decrease in Value of Identity
The Plaintiffs allege that the value of their personal identity has decreased and has
been diluted due to the theft of their identity. Defendants contend that Washington has
never recognized the loss of value of PII and PHI as a type of harm that is recoverable in
negligence.
While Washington has not yet weighed in on this murky issue, it is well
established in our state that a plaintiff can recover for the loss or damage to personal
property in an action for negligence. See Grothe v. Kushnivich, 24 Wn. App. 2d 755,
766, 521 P.3d 228 (2022). “The purpose of awarding damages for injury to personal
property is to place the injured party as nearly as possible in the condition in which he
would have been had the wrong not occurred.” 16 DAVID K. DEWOLF & KELLER W.
ALLEN, WASHINGTON PRACTICE: TORT LAW AND PRACTICE § 6:4 at 318 (5th ed. 2020).
Whether our personal means of identification, PII, or PHI, are considered to be personal
property that can be damaged or destroyed is an issue of first impression in Washington.
23 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
In deciding this question, we take guidance from decisions from other jurisdictions and
Washington law on related issues.
Several other courts have addressed whether a plaintiff can claim loss in the value
of their personal identity as a cognizable injury under a claim of negligence. These
decisions have reached varying results. In In re Marriott International, Inc., Customer
Data Security Breach Litigation, 440 F. Supp. 3d 447, 460-61 (D. Md. 2020), the federal
district court addressed whether a claim of loss in value of PII was sufficient to allege an
injury-in-fact for purposes of standing in federal court. The court noted the “growing
trend across courts that have considered this issue is to recognize the lost property value
of this information.” Id. at 461. In concluding that injury-in-fact was alleged, the court
took notice of statements made by the United States Attorney General that data stolen
from companies has “economic value” to foreign nationals. Id. at 462. The court also
noted that companies and consumers recognize the value of PII, and consumers offer
their PII to companies in exchange for goods and services. Id. Finally, in concluding
that a loss in value of personal information was sufficient to show injury-in-fact, the court
found that
the value of personal identifying information is key to unlocking many parts of the financial sector for consumers. Whether someone can obtain a mortgage, credit card, business loan, tax return, or even apply for a job depends on the integrity of their personal identifying information.
Id.
24 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
Several other courts have reached a similar result. See Collins v. Athens
Orthopedic Clinic, PA, 307 Ga. 555, 562, 837 S.E.2d 310 (2019) (recognizing that an
important part of the value of data to anyone attempting to buy it on the black market is
its utility in committing identity theft); Calhoun v. Google LLC, 526 F. Supp. 3d 605, 635
(N.D. Cal. 2021) (recognizing property interest in personal information); In re Accellion,
Inc. Data Breach Litig., 713 F. Supp. 3d 623, 637 (N.D. Cal. 2024) (recognizing loss of
value of PII and consequential out-of-pocket expenses as cognizable categories of
damages for negligence claims under California law).
On the other hand, several courts have found that a claim for loss of value of
identity or personal information is not recoverable in an action for negligence. See In re
21st Century Oncology Customer Data Sec. Breach Litig., 380 F. Supp. 3d 1243, 1257
(M.D. Fla. 2019) (“The Court rejects this theory of injury in fact because Plaintiffs have
not alleged that their personal information has an independent monetary value that is now
less than it was before the Data Breach.”); B.K. v. Eisenhower Med. Ctr., __F. Supp. 3d
__, 2024 WL 878100, at *6 (C.D. Cal. Feb. 29, 2024), modified on reconsideration, __F.
Supp. 3d __, 2024 WL 2037404 (C.D. Cal. Apr. 11, 2024) (quoting John Doe v. Meta
Platforms, Inc., 690 F. Supp. 3d 1064, 1089 (N.D. Cal. 2023)) (“Courts in this [circuit]
have dismissed cases where, like here, [plaintiff’s] injury is based on ‘the loss of the
inherent value of their personal data,’ as well as where it was undisputed that plaintiffs
paid no money to the defendant.”) (citation omitted); see also Saeedy v. Microsoft Corp.,
25 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
No. 23-CV-1104, 2023 WL 8828852, at *6 (W.D. Wash. Dec. 21, 2023) (court order)
(“To establish standing for their claims of loss of value in their data as property, Plaintiffs
must show that they personally lost money or property as a result of Microsoft’s
conduct.”).
In Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), a company laptop
containing the unencrypted data of company employees was stolen. Several employees
sued, alleging the theft caused them to spend time protecting their identity, but did not
allege any out-of-pocket expenses or losses. In the published portion of the opinion, the
Ninth Circuit held that the allegations were sufficient to confer standing. Id. at 1143.
But in the unpublished opinion, the court held that the plaintiffs failed to allege a
cognizable injury because they were alleging only the danger of future harm. Krottner v.
Starbucks Corp., 406 F. App’x. 129, 131 (9th Cir. 2010). The Krottner court did not
consider whether increased anxiety or loss in value of personal information would
constitute a cognizable injury.
In considering these competing interests, we note that the laws in Washington
demonstrate a public policy that recognizes there is value in the security of our personal
information. Beyond the criminal statute, there are numerous laws regulating the actions
of companies and agencies who handle personal and health care information. The
Uniform Health Care Information Act, ch. 70.02 RCW, “recognizes that ‘[h]ealth care
information is personal and sensitive information that if improperly used or released may
26 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
do significant harm to a patient’s interests in privacy, health care, or other interests.’”
Seattle Childs. Hosp. v. King County, 16 Wn. App. 2d 365, 379, 483 P.3d 785 (2020)
(quoting RCW 70.02.005(1)). The Washington My Health My Data Act, ch. 19.373
RCW, requires “additional disclosures and consumer consent regarding the collection,
sharing, and use of [health data].” RCW 19.373.005(3). The Washington Public Records
Act, ch. 42.56 RCW, includes specific exemptions for personal information and requires
agencies to disclose data breaches. See RCW 42.56.230 (exempting various personal
information from a public records request); RCW 42.56.640 (exempts sensitive personal
information of vulnerable individuals and home caregivers from disclosure in public
records requests); RCW 42.56.590 (requires agency whose systems contain personal
information to disclose any data breach); RCW 70.02.020 (prohibits health care providers
from disclosing health care information without written authorization from the patient).
Washington has even created an “Office of Privacy and Data Protection” to serve
as a resource for local governments and the public in developing best practices for
handling personal information. RCW 43.105.369. If personal information had no value,
the extensive efforts of criminals to steal it—and the substantial work by legislators and
companies to protect it—would be pointless.
Considering Washington’s existing law and the realities of the digital economy we
live in now, we find the reasoning in the recent Marriott case to be persuasive. We
follow the line of cases that hold that a person’s means of identification, PII and PHI, can
27 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
have value and conceivably that value can be diminished or destroyed when their
identities are misappropriated for illegal purposes.
Here, Plaintiffs allege that their PII and PHI was stolen in a data breach of the
Health District’s computer systems. They allege that the theft caused their PII and PHI to
lose value. They assert that after the data breach, the Plaintiffs received additional spam
calls. One plaintiff was notified that her Social Security number was found on the dark
web and an unauthorized business license was opened in her name. The loss in value of
their PII and PHI is a current harm and a cognizable injury sufficient to support a cause
of action for negligence. Whether and how the Plaintiffs can prove such damages is not a
question before us.
Risk of Future Economic Harm from Identity Theft
Plaintiffs also allege that there is an imminent risk that their stolen identity will be
misused in the future, which will likely cause them out-of-pocket losses. We distinguish
this type of damage from Plaintiffs’ allegation that they are suffering anxiety over the
possibility that their stolen identity will be misused. Damages for future economic loss
are different from damages for emotional distress.
The Health District contends that the Plaintiffs are precluded from recovering for
this type of damage, arguing that these are future damages. If future economic damages
were the only theory of recovery asserted by the Plaintiffs, we might agree. But because
28 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
it is conceivable that the Plaintiffs will be able to demonstrate current harm, their claim
for future harm survives a CR 12(b)(6) motion.
In Gazija, the court addressed when a cause of action accrued for purposes of the
statute of limitations. 86 Wn.2d 215. The court noted that a claim of negligence does not
accrue until there has been actual loss or damages, noting that “[t]he mere danger of
future harm, unaccompanied by present damage, will not support a negligence action.”
Id. at 219. However, once a plaintiff experiences actual harm, the statute of limitations
begins to run even if all of the damages resulting from the injury have not been sustained.
Steele v. Organon, Inc., 43 Wn. App. 230, 234, 716 P.2d 920 (1986).
Although Gazija was concerned with the accrual of a cause of action for purposes
of the statute of limitations, the holding has been applied in determining if a plaintiff has
alleged sufficient injury to state a claim for negligence. See Brewer v. Lake Easton
Homeowners Ass’n, 2 Wn. App. 2d 770, 780-81, 413 P.3d 16 (2018).
Standing alone, the Plaintiffs’ request for damages for the risk of future economic
damages would not support a claim of negligence. But here, the relief requested is in
addition to a request for damages from current harm.
We emphasize that our decision is based on the liberal standard applied to a
motion to dismiss under CR 12(b)(6) for failure to state a claim. While we determine that
under the facts as alleged in the complaint the defendant had a duty to use reasonable care
in collecting and storing the Plaintiffs’ PII and PHI, and that the Plaintiffs may be able to
29 No. 39571-5-III Nunley, et al v. Chelan-Douglas Health Dist.
prove a cognizable injury, we make no determination on the likelihood of success. Nor
do we evaluate the sufficiency of evidence. We merely hold that the facts alleged in the
complaint are sufficient to state a claim of negligence.
We hold that the Plaintiffs have alleged a claim for negligence sufficient to meet
the minimum requirements of CR 12(b)(6). We reverse the superior court’s order of
dismissal and remand for further proceedings.
_________________________________ Staab, A.C.J.
WE CONCUR:
_________________________________ Fearing, J.
_________________________________ Cooney, J.