
    Argued and submitted September 21, 2011,
    decision of Court of Appeals and judgment of circuit court affirmed February 24, 2012
    Laurie PAUL, Plaintiff, and Russell GIBSON and William Weiller, DDS, individually and on behalf of all similarly-situated individuals, Petitioners on Review, v. PROVIDENCE HEALTH SYSTEM-OREGON, an Oregon corporation, Respondent on Review.
    
    (CC 060101059; CA A137930; SC S059131)
    273 P3d 106
    Maureen Leonard, Portland, argued the cause and filed the brief for petitioners on review.
    Gregory A. Chaimov, Davis Wright Tremaine LLP, Portland, argued the cause and filed the brief for respondent on review. With him on the brief was John F. McGrory.
    
      Before De Muniz, Chief Justice, and Durham, Balmer, Walters, Linder, and Landau, Justices.
    
    BALMER, J.
    
      
       Kistler, J., did not participate in the consideration or decision of this case.
    
   BALMER, J.

The issue in this case is whether a healthcare provider can be liable in damages when the provider’s negligence permitted the theft of its patients’ personal information, but the information was never used or viewed by the thief or any other person. Plaintiffs claimed economic and noneconomic damages for financial injury and emotional distress that they allegedly suffered when, through defendant’s alleged negligence, computer disks and tapes containing personal information from an estimated 365,000 patients (including plaintiffs) were stolen from the car of one of defendant’s employees. The trial court and Court of Appeals held that plaintiffs had failed to state claims for negligence or for violation of the Unlawful Trade Practices Act (UTPA), ORS 646.605 to 646.652. Paul v. Providence Health System-Oregon, 237 Or App 584, 240 P3d 1110 (2010). We conclude that, in the absence of allegations that the stolen information was used in any way or even was viewed by a third party, plaintiffs have not suffered an injury that would provide a basis for a negligence claim or an action under the UTPA. We therefore affirm, although our analysis differs in some respects from that of the Court of Appeals.

I. BACKGROUND AND PROCEEDINGS BELOW

We take the facts from plaintiffs’ third amended complaint. When reviewing a trial court order granting a motion to dismiss, we accept as true all well-pleaded facts in the complaint. Bailey v. Lewis Farm, Inc., 343 Or 276, 278, 171 P3d 336 (2007). The named plaintiffs were patients of defendant, a nonprofit corporation that provides healthcare. An employee of defendant left computer disks and tapes containing records of 365,000 patients in a car; the disks and tapes were subsequently stolen on or about December 30-31, 2005. The records included names, addresses, phone numbers, Social Security numbers, and patient care information. Defendant notified all individuals whose information was contained on the disks and tapes and advised them to take precautions to protect themselves against identify theft.

Plaintiffs filed this class action on behalf of themselves and other individuals whose records had been stolen. Plaintiffs asserted common law negligence and negligence per se claims, alleging that defendant’s conduct had caused them financial injury in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft. Plaintiffs also alleged that they suffered noneconomic damages for the emotional distress caused by the theft of the records and attendant worry over possible identity theft. Plaintiffs did not allege any intentional conduct by defendant. Nor did plaintiffs allege that any unauthorized person ever had accessed any of the information contained on the disks and tapes, or that any plaintiff had suffered any actual financial loss, credit impairment, or identity theft. In addition to their negligence claims, plaintiffs alleged that defendant had violated the UTPA by representing that patient data would be kept confidential when defendant knew that such data was inadequately safeguarded.

Defendant filed a motion to dismiss plaintiffs’ complaint for failure to state ultimate facts sufficient to constitute a claim for relief. The trial court granted defendant’s motion, holding that the damages plaintiffs alleged were not compensable under Lowe v. Philip Morris USA, Inc., 207 Or App 532, 142 P3d 1079 (2006), aff'd, 344 Or 403, 183 P3d 181 (2008), because plaintiffs’ claimed damages — although reflecting, in part, expenses that plaintiffs actually had incurred- — were premised on the risk of future injury, rather than actual present harm.

Plaintiffs appealed, and the Court of Appeals affirmed. That court began lay analyzing whether plaintiffs had stated a negligence claim for economic damages. To recover damages for purely economic harm, liability “ ‘must be predicated on some duty of the negligent actor to the injured party beyond the common law duty to exercise reasonable care to prevent foreseeable harm.’ ” Oregon Steel Mills, Inc. v. Coopers & Lybrand, LLP, 336 Or 329, 341, 83 P3d 322 (2004) (quoting Onita Pacific Corp. v. Trustees of Bronson, 315 Or 149, 159, 843 P2d 890 (1992)). The Court of Appeals held that plaintiffs had failed to identify a “heightened duty of care to protect against economic harm arising out of the relationship between themselves as patients and defendant as a health care provider.” Paul, 237 Or App at 592. The court rejected plaintiffs’ argument that state and federal statutes protecting the confidentiality of medical records established an independent standard of care that defendant had violated, reasoning that those statutes did not create a special relationship between the parties that would give rise to a heightened duty owed to plaintiffs. Id. at 593. Because plaintiffs failed to identify a special relationship between the parties, the court concluded that plaintiffs could not, under this court’s opinion in Lowe, recover for the expenses of monitoring a future potential harm. Id.

The Court of Appeals then turned to plaintiffs’ claim for damages for emotional distress. A plaintiff may recover damages for emotional distress, in the absence of physical injury, “where the defendant’s conduct infringed on some legally protected interest apart from causing the claimed distress, even when that conduct was only negligent.” Hammond v. Central Lane Communications Center, 312 Or 17, 23, 816 P2d 593 (1991). As with plaintiffs’ claim for economic damages, the Court of Appeals held that plaintiffs had failed to identify a special relationship between the parties that could give rise to a duty of care to avoid emotional harm to plaintiffs. Paul, 237 Or App at 597. The court distinguished those cases where a plaintiff recovered emotional distress damages in the absence of a special relationship, because those cases involved an “affirmative” breach of a duty of confidentiality. In the absence of an affirmative breach or a special relationship, the court held that plaintiffs had not stated a claim for emotional distress. Id. at 600.

Regarding plaintiffs’ claim under the UTPA, the Court of Appeals held that the only financial harm identified by plaintiffs in their complaint — the out-of-pocket expenses incurred to prevent identity theft — was not an “ascertainable loss” under the UTPA. Id. at 604. That was so because the money that plaintiffs had spent was “to prevent a potential loss” (e.g., financial injury caused by future identity theft) that “might result from the misrepresentations,” but was not itself an ascertainable loss caused by defendant. Id. (emphasis in original).

II. PLAINTIFFS’ NEGLIGENCE CLAIMS

We begin with plaintiffs’ claim for common law negligence. As we recently stated in Lowe, “Not all negligently inflicted harms give rise to a negligence claim.” 344 Or at 410. Rather, to recover in negligence, a plaintiff must suffer harm “to an interest of a kind that the law protects against negligent invasion.” Solberg v. Johnson, 306 Or 484, 490, 760 P3d 867 (1988). Plaintiffs, in their third amended complaint, describe their injury as follows:

“Plaintiffs and class members suffered economic damages in the form of past out-of-pocket expenses for credit monitoring services, credit injury, long distance and time loss from employment to address these issues. * * * In addition, plaintiffs and class members have suffered non-economic damages in the past and will do so in the future in the form of impairment of access to credit inherent in placing and maintaining fraud alerts, as well as worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft * * *.”

(Emphasis added.) Thus, plaintiffs allege that defendant’s negligence created the risk of future identify theft, and they seek economic damages for the past and future expense of credit monitoring services and related expenditures made to address the risk of identity theft. They also allege that the increased risk of future identify theft has caused them present and future emotional distress, and they seek damages for that noneconomic injury. Although plaintiffs allege that an unknown person stole digital records containing plaintiffs’ information from defendant’s employee’s car, they do not allege that the thief or any third person actually used plaintiffs’ information in any way that caused financial harm or emotional distress to them. They allege no actual “identity theft,” as that term is used in Oregon statutes, nor do they allege that defendant’s actions caused them actual financial injury, apart from the expenses that they incurred in the form of credit monitoring that they initiated.

A. Damages for Economic Loss

Under the economic loss doctrine, “[0]ne ordinarily is not liable for negligently causing a stranger’s purely economic loss without injuring his person or property.” Hale v. Groce, 304 Or 281, 284, 744 P2d 1289 (1987). Damages for purely economic losses, however, are available when a defendant has a duty to guard against the economic loss that occurred. Onita, 315 Or at 159. A duty to protect against economic loss can arise “from a defendant’s particular status or relationships, or from legislation, beyond the generalized standards that the common law of negligence imposes on persons at large.” Fazzolari v. Portland School Dist. No. 1J, 303 Or 1, 10, 734 P2d 1326 (1987).

Plaintiffs argue that they are patients of defendant, a healthcare provider, and that that relationship imposes on defendant a duty to protect them against economic loss. They also point to state and federal statutes that require healthcare providers to protect patient information and assert that those statutes impose a duty or standard of care on defendant that provides a basis for plaintiffs to seek economic damages in a negligence action. Defendants respond that neither the nature of the relationship between plaintiffs and defendant nor the statutes that plaintiffs cite establish the heightened duty of care that would provide a basis for a negligence action to recover economic damages for defendant’s failure to protect plaintiffs’ personal information. As noted, the Court of Appeals agreed with defendant. See Paul, 237 Or App at 592-93.

We need not resolve the dispute between the parties as to whether common law tort principles or statutes concerning the protection of patient information provide a basis for plaintiffs’ claims for economic damages. Assuming, without deciding, that defendant owed a duty to protect plaintiffs against economic losses, we nevertheless conclude, for the reasons that follow, that plaintiffs’ allegations here are insufficient because plaintiffs do not allege actual, present injury caused by defendant’s conduct.

To the extent that plaintiffs seek damages for future harm to their credit or financial well-being, Lowe forecloses such a claim because “ ‘the threat of future harm, by itself, is insufficient as an allegation of damage in the context of a negligence claim,’ ” 344 Or at 410 (quoting Zehr v. Haugen, 318 Or 647, 656, 871 P2d 1006 (1994)). Plaintiffs argue, however, that they should be able to recover as economic damages the past and present expenses (such as the cost of credit monitoring) that they have incurred to protect themselves from the risk of future economic harm. Defendant and amici respond that, in Lowe, this court stated that it was unwilling to “overul[e] Oregon’s well-established negligence requirements” to require a defendant whose conduct increased the plaintiffs’ risk of cancer to pay for medical monitoring, 344 Or at 414-15, and argue that to require defendant here to pay for credit monitoring because of the increased risk of a purely economic future harm would require an even greater departure from existing case law. We agree.

As this court stated in Lowe, “the fact that a defendant’s negligence poses a threat of future physical harm is not sufficient, standing alone, to constitute an actionable injury.” Id. at 410. We then quoted Prosser and Keeton’s comment that, as the law of negligence developed, “ ‘it retained the rule that proof of damage was an essential part of the plaintiffs case’ ” and that “ ‘[n]ominal damages, to vindicate a technical right, cannot be recovered in a negligence action, where no actual loss has occurred.’ ” Id. (quoting W. Page Keeton, Prosser and Keeton on the Law of Torts § 30,165 (5th ed 1984)). In Lowe, we applied that rule in rejecting a claim for medical monitoring expenses when the plaintiff had suffered no present physical harm.

Although plaintiffs are correct that this case is factually distinguishable from Lowe because of the relationship between plaintiffs and defendant here, they are incorrect in arguing that Lowe stands for the proposition that, had there been such a relationship in that case, this court would have permitted recovery for monitoring expenses, notwithstanding the absence of some present harm to plaintiffs. As we said in Lowe, “Under Oregon Steel Mills and a long line of this court’s cases, the present economic harm that defendants’ actions allegedly have caused — the cost of medical monitoring —is not sufficient to give rise to a negligence claim.” 344 Or at 414. That rule applies whether or not there is a “relationship” between the plaintiff and the defendant. If there is no relationship between the parties — or other source of a duty on the part of the defendant to protect the plaintiff against economic loss— a plaintiff cannot recover economic losses caused by the defendant’s negligence. Onita, 315 Or at 159. But even if such a duty has been alleged, Lowe indicates that the cost of monitoring to protect against an increased risk of harm — in the absence of present injury — is not recoverable in a negligence action. Lowe's citation of Oregon Steel Mills in the sentence quoted above supports defendant’s position that monitoring expenses to mitigate possible future harm are not recoverable, even when there is a relationship between the parties that might provide a basis for recovering actual economic damages caused by a present injury. It follows, in our view, that the cost of credit monitoring that results, not from any “present economic harm” (to borrow the phrase from Lowe) to plaintiffs, but rather from the risk of possible future harm, also is insufficient to state a negligence claim.

That conclusion is similar to those reached by other courts that have considered claims for credit monitoring damages in the absence of present identity theft or other harm. In Pisciotta v. Old Nat. Bancorp, 499 F3d 629 (7th Cir 2007), the court rejected negligence claims for credit monitoring by a bank’s customers whose personal information had been accessed by a computer “hacker.” The court noted that Indiana cases had rejected medical monitoring damages based on “exposure to a future potential harm” and had required instead “an actual exposure-related illness or disease.” 499 F3d at 639. It concluded that a similar distinction between “exposure” to future harm and actual harm should apply in the credit monitoring context. The court also observed that even states that had allowed damages in medical monitoring negligence cases “have expressed doubt that credit monitoring also should be compensable.” Id. at 638 n 10. Every court that has addressed damage claims for credit monitoring following the theft of computer records containing personal information — but no wrongful use of that information — has reached a similar conclusion. See Reilly v. Ceridian Corp., 664 F3d 38, 46 (3d Cir 2011) (increased risk of identity theft did not establish injury-in-fact for purposes of seeking credit monitoring expenses or other relief); Forbes v. Wells Fargo Bank, N.A., 420 F Supp 2d 1018, 1021 (D Minn 2006) (credit monitoring expenses are “not the result of any present injury, but rather anticipation of future injury that has not yet materialized”); Ruiz v. Gap, Inc., 622 F Supp 2d 908, 918 (ND Cal 2009), aff'd, 380 Fed Appx 689 (9th Cir 2010) (no claim for credit monitoring expenses because plaintiff “has no actual damages to mitigate since he has never been a victim of identity theft”); Randolph v. ING Life Ins. and Annuity Co., 486 F Supp 2d 1, 8 (DDC 2007) (same).

In contrast to those cases are several decisions that have allowed at least some damage claims when stolen personal information actually has been used to perpetrate identify theft, causing individuals present financial injury. Anderson v. Hannaford Bros. Co., 659 F3d 151 (1st Cir 2011), is illustrative. There, the First Circuit, applying Maine law, permitted certain claims by credit card holders against the defendant, a processor of credit card payments whose system had been hacked by third parties. The court distinguished the cases cited above (and many similar decisions) because those cases — like plaintiffs’ case here — alleged no actual use of any of the plaintiffs’ personal information:

“Unlike the cases cited by [the defendant], this case does not involve inadvertently misplaced or lost data which has not been accessed or misused by third parties. Here, there was actual misuse, and it was apparently global in reach. The thieves appeared to have expertise in accomplishing their theft and to be sophisticated in how to take advantage of the stolen numbers. The data was used to run up thousands of improper charges across the globe to the customers’ accounts. The card owners were not merely exposed to a hypothetical risk, but to a real risk of misuse.”

659 F3d at 164.

Here, plaintiffs have alleged no actual identity theft or financial harm, other than credit monitoring and similar mitigation costs. Plaintiffs have not offered a cogent basis “for overruling Oregon’s well-established negligence requirements,” Lowe, 344 Or at 415, which require the allegation of such present injury. We therefore reach the same conclusion with respect to credit monitoring, when there has been no present injury to credit or financial interest, as we did in Lowe regarding medical monitoring when there was no present injury: “[Negligent conduct that results only in a significantly increased risk of future injury that requires * * * monitoring does not give rise to a claim for negligence.” Id. at 415.

B. Damages for Emotional Distress

Plaintiffs also seek damages for what they describe as “worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft.” This court consistently has rejected claims for emotional distress damages caused by a defendant’s negligence, in the absence of any physical injury. Hammond, 312 Or at 23-24. We have, however, allowed claims for emotional distress damages in three situations, as summarized in Hammond: (1) “where the defendant intended to inflict severe emotional distress,” id. at 22; (2) “where the defendant intended to do the painful act with knowledge that it will cause grave distress, when the defendant’s position in relation to the plaintiff involves some responsibility aside from the tort itself,” id.; and (3) “where the defendant’s conduct infringed on some legally protected interest apart from causing the claimed distress, even when that conduct was only negligent,” id. at 23. Here, it is undisputed that defendant did not intend to inflict distress on plaintiffs or to have its property stolen. Plaintiffs therefore argue that defendant’s negligence infringed a “legally protected interest” of plaintiffs. We turn to that issue.

Plaintiffs identify several sources of their claimed “legally protected interest.” They note that the physician-patient relationship gives rise to a duty by the physician to keep the patient’s medical records confidential. See Humphers v. First Interstate Bank, 298 Or 706, 720, 696 P2d 527 (1985) (identifying such a right). They assert that defendant violated that and similar duties. Plaintiffs also argue that federal and state statutes require defendant to keep their medical records confidential. By allowing the tapes and disks containing patient care information to be stolen, plaintiffs contend, defendant infringed plaintiffs’ legally protected interest in their confidential medical records, providing a basis for plaintiffs to recover for negligent infliction of emotional distress.

Defendant responds that, even in the context of a physician-patient relationship, a physician does not have a general duty to guard against emotional harm. See Curtis v. MRI Imaging Services II, 327 Or 9, 15-16, 956 P2d 960 (1998) (so holding). Only if the physician is subject to a specific standard of care “to guard against recognized medical risks that happen to be psychological in nature,” may that physician be liable for emotional distress in a negligence action. Id. at 15 (emphasis omitted); see also Rathgeber v. James Hemenway, Inc., 335 Or 404, 418, 69 P3d 710 (2003) (“It is always foreseeable that some emotional harm might result from the negligent performance of * * * professional services * * *. That possibility, however, cannot give rise to emotional distress damages unless a standard of care that includes the duty to protect a client from emotional harm governs the professional’s conduct.”). Defendant argues that the Court of Appeals in this case correctly held that Oregon cases do not support plaintiffs’ assertion that their relationship with defendant gave rise to a duty on the part of defendant to protect them against the risk of emotional distress that might arise if their personal information was stolen as a result of defendant’s negligence. See Paul, 237 Or App at 600 (in absence of “affirmative” breach of duty of confidentiality or special relationship imposing on defendant a duty to protect plaintiffs from emotional distress, plaintiffs failed to state a negligence claim for emotional distress damages).

For reasons similar to those discussed above with respect to plaintiffs’ claim for economic damages, we need not, in this case, decide whether a healthcare provider can be liable in negligence for the emotional distress damages of its patients that may result from the misuse of their personal information. Assuming, without deciding, that defendant does owe a duty to plaintiffs to protect them from such harm — under Oregon tort cases or derived from the healthcare information statutes that the parties cite — we conclude that plaintiffs’ allegations of injury here are insufficient to state a claim for emotional distress damages. As we have already observed, plaintiffs’ alleged emotional distress is premised entirely on the risk of future identity theft, and not on any actual identity theft or present financial harm. No case from Oregon — or, as far as we can tell, any other jurisdiction — supports the claim that plaintiffs make here.

As noted, plaintiffs allege that, because of defendant’s negligence, computer disks and tapes containing their confidential information were stolen. Plaintiffs further allege that they suffered “worry and emotional distress associated with the initial disclosure and the risk of any future subsequent identity theft.” Although plaintiffs argue that they suffered present, and not merely future distress, the complaint makes clear that the present distress is based not on any present harm to their credit or financial well-being, but solely on their apprehension of an increased risk of some future harm. In that respect, the claimed harm is similar to the out-of-pocket expenses that plaintiffs claimed as economic damages and that we rejected above.

The differences between the damages alleged here and the damages alleged in other negligence cases where we have recognized emotional distress claims make the point. In Nearing v. Weaver, 295 Or 702, 707, 670 P2d 137 (1983), for example, the plaintiff suffered emotional distress after she was confronted by her husband multiple times, in violation of a restraining order. The plaintiff had notified the police after the first violation, and the police were required by law to arrest the husband at that time, but they had failed to do so. We held that the law requiring arrest established a legal right independent of the ordinary tort elements of a negligence action and that the plaintiff could recover in negligence for emotional distress caused by defendant’s violation of that right. Id. at 708-09. In contrast to this case, however, the plaintiff in Nearing had, in fact, been confronted by her husband, in violation of the restraining order. Her emotional distress was not based solely on her concern over a future contingency, but on present injury. Similarly, in McEvoy v. Helikson, 277 Or 781, 789, 562 P2d 540 (1977), we held that the plaintiff had stated a claim for negligent infliction of emotional distress when the defendant, an attorney, violated the terms of a divorce decree by not retaining certain passports that he was required to hold. Again, the plaintiffs emotional distress damages were not based on a possible future harm, but on the fact that the plaintiffs ex-wife in fact obtained the passports and fled the country with the plaintiffs child.

Here, as discussed in detail above, plaintiffs do not allege — and nothing in the record suggests — that any third party ever viewed any of the personal information stolen from defendant or that any of the information was ever used for identity theft purposes or in any other manner. This case also differs from Humphers, on which plaintiffs rely. In Humphers, plaintiffs physician disclosed the plaintiffs identity to her daughter, who had been given up for adoption, in violation of Oregon statutes requiring physicians to keep such information confidential. In contrast to this case, the confidential information there was released intentionally and it was actually made known — disclosed—to a third party. 298 Or at 720-21. Another case on which plaintiffs rely, Biddle v. Warren Gen. Hosp., 86 Ohio St 3d 395, 715 NE 2d 518 (1999), is similarly distinguishable. There, the court held a hospital liable for emotional distress damages when it sent medical records for all of its patients to a law firm to screen for supplemental security income benefits without the patients’ consent. Id. at 405. As in Humphers, the release of the information by the hospital in Biddle was intentional, and the confidential medical records were actually made known to unauthorized third parties. Id. In those cases, the claim for damages for emotional distress was not based simply on the risk that some third person might view or misuse the plaintiffs’ confidential information in the future, but on actual present viewing and use of the information.

We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiffs personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm. Courts that have considered such claims have uniformly rejected them. See, e.g., Reilly, 664 F3d at 45 (claim for emotional distress from increased risk of identity theft was not injury-in-fact); Amburgy v. Express Scripts, Inc., 671 F Supp 2d 1046, 1055 (ED Mo 2009) (no recovery for damages for emotional distress caused by increased risk of future identity theft when defendant’s negligence resulted in theft of patient records); Pinero v. Jackson Hewitt Tax Service, Inc., 594 F Supp 2d 710, 716 (ED La 2009) (damages for fear of loss from future identify theft not recoverable); Randolph v. ING Life Ins. and Annuity Co., 973 A2d 702, 708 (DC 2009) (no damages recoverable for fear of identity theft).

Plaintiffs’ arguments here are grounded in plausible concerns over the potential for identity theft that exists whenever personal information is stolen. State and federal statutes impose requirements that seek to address those risks, and enforcement actions under those statutes — like the enforcement action taken against defendant by the Attorney General — can help ensure compliance by those subject to such laws. However, as with plaintiffs’ claim for economic damages, Oregon law does not provide a private right of action for emotional distress damages when those damages are based only on the risk of some future harm. For those reasons, we conclude that plaintiffs have failed to state a claim for damages for emotional distress.

III. UNLAWFUL TRADE PRACTICES ACT

Plaintiffs also allege that defendant violated the UTPA, ORS 646.605 to 646.652. That statute allows a person to seek damages and equitable relief if the person has suffered “any ascertainable loss of money or property * * * as a result of willful use or employment by another person of a method, act or practice declared unlawful by ORS 646.608.” ORS 646.638(1) (2005). Plaintiffs assert that defendant violated ORS 646.608(l)(e) and (g) by representing that “all information gathered to sell its services or goods would be safeguarded and kept confidential when it knew that it lacked adequate means to safeguard such information” and that “the business of sale of services and goods would include privacy and confidentiality when it knew that the transactions were not confidential due to its inadequate data protection program.”

The Court of Appeals denied plaintiffs’ claim because plaintiffs did not allege an “ascertainable loss of money or property,” as required to recover under the UTPA:

“[T]he thrust of plaintiffs’ allegations is that, as a result of defendant’s violation of the UTPA, they have been threatened with a loss of money or property due to the theft of their financial data, and they seek to recover damages for money that they have spent to forestall those threatened losses.
* * * *
“Plaintiffs have directed us to no authority — and we are aware of none- — for the proposition that such a ‘once removed’ loss is a loss covered under the UTPA.”

Paul, 237 Or App at 603-04 (emphasis in original).

As our earlier discussion of plaintiffs’ negligence claim indicates, the Court of Appeals correctly characterized plaintiffs’ “loss” as money that they expended to prevent or mitigate the possible future use or disclosure of their confidential information by a third party. That expenditure of money is not the kind of loss compensable under the UTPA, because the expenditure is not based on any present harm to plaintiffs’ economic interests. There is no indication that the UTPA was intended to protect against such speculative losses as the risk of identity theft, and plaintiffs have presented no argument that would support such an interpretation. Accordingly, plaintiffs have not stated a claim under the UTPA for the “loss” they incurred to prevent a future harm.

The decision of the Court of Appeals and the judgment of the circuit court are affirmed. 
      
       In 2006, defendant entered into an agreement with the Attorney General under the UTPA pursuant to which defendant agreed to contract with a credit monitoring company to provide two years of credit monitoring and restoration services to any patient who requested it, to reimburse any patient for any financial loss resulting from the misuse of credit or identity theft, and to establish a website and toll-free call center to assist patients with questions related to the theft. Under the agreement, defendant also paid the Attorney General more than $95,000. Defendant estimated the cost of the credit monitoring and other services that it agreed to provide at approximately $7 million.
     
      
       Plaintiffs did not allege that the theft of the records was a “property loss” to them.
     
      
       The trial court based its order granting defendant’s motion and dismissing plaintiffs’ complaint on the Court of Appeals decision in Lowe. We subsequently affirmed Lowe.
      
     
      
       Indeed, plaintiffs do not allege that the person who stole the records or any third person even viewed their personal information. The information was stored in digital form on disks and computer tapes, and specialized equipment is required to view or use the information.
     
      
       A person commits the crime of “identity theft” if the person, “with the intent to deceive or to defraud, obtains, possesses, transfers, creates, utters or converts to the persons own use the personal identification of another person.” ORS 165.800(1). Plaintiffs do not allege that the person who stole the information did so with the required “intent.”
     
      
       As noted, plaintiffs did not allege that the theft of defendant’s disks and tapes containing plaintiffs’ information was a loss ofplaintiffs’ property. Accordingly, we have no occasion to consider whether, under Oregon law, such an allegation would state a claim for relief. See Ruiz v. GAP, Inc., 540 F Supp 2d 1121, 1127 (ND Cal 2008), aff'd, 380 Fed Appx 689 (9th Cir 2010) (rejecting claim that theft of defendant’s laptop, containing plaintiffs personal information, constituted loss of plaintiffs “property”).
     
      
       As noted in our discussion of economic damages, plaintiffs do not allege a physician-patient relationship with defendant. Rather, they argue that defendant’s status as a healthcare provider imposed on defendant a similar duty to keep medical records confidential.
     
      
       We recognize that the Court of Appeals has considered — and rejected- — a claim for emotional distress damages hy a depositor whose bank negligently permitted his personal information to be disclosed and which subsequently was used to the depositor’s detriment by third parties. See Stevens v. First Interstate Bank, 167 Or App 280, 999 P2d 551, rev den, 331 Or 429 (2000). The basis for the emotional distress claim there thus differs from plaintiffs’ allegations here; we have no occasion to consider the issue decided hy the Court of Appeals in Stevens.
      
     
      
       ORS 646.638(1) (2005) was amended by Oregon Laws 2009, chapter 327, section 1, and Oregon Laws 2009, chapter 552, sections 6 and 7. Those amendments are inapplicable to this case.
     
      
       ORS 646.608(l)(e) and (g) provide:
      “A person engages in an unlawful practice when in the course of the person’s business, vocation or occupation the person does any of the following:
      * * :¡: #
      “(e) Represents that real estate, goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, quantities or qualities that they do not have * * *.
      «:f; *
      “(g) Represents that real estate, goods or services are of a particular standard, quality, or grade, or that real estate or goods are of a particular style or model, if they are of another.”
     
      
       Because we conclude that plaintiffs have not alleged an ascertainable loss that is the result of defendant’s conduct, we do not address defendant’s alternative argument that defendant’s conduct did not constitute a representation that defendant’s services had “characteristics” that they lacked or were of a “particular standard, quality, or grade” when they were of another. See ORS 646.608(1) (defining unlawful trade practices).
     