OPINION AND ORDER Plaintiffs Jose Aponte II and Lisa Rosenberg bring this putative class action against defendants Northeast Radiology, P.C. (“Northeast Radiology”), and Alliance HealthCare Services, Inc., alleging defendants failed to protect plaintiffs’ electronic protected health information (“e-PHI”) from unauthorized disclosure. Now pending is defendants’ motion pursuant to Rules 12(b)(1) and 12(b)(6) to dismiss the amended complaint for lack of subject matter jurisdiction and for failure to state a claim. (Doc. # 29). For the following reasons, the Rule 12(b)(1) motion is GRANTED. BACKGROUND For the purpose of ruling on the motion, the Court accepts as true all well-pleaded allegations in the amended complaint and draws all reasonable inferences in plaintiffs’ favor, as summarized below. Plaintiffs allege that, as patients of Northeast Radiology, they provided Northeast Radiology with their names, addresses, dates of birth, gender, and medical history information. Plaintiffs state unauthorized individuals accessed defendants’ computer servers where this information was stored between April 14, 2019, and January 7, 2020. Plaintiffs allege a user, upon connecting to defendants’ Picture Archiving and Communications Systems (“PACS”), was “presented with a list of all [patient] studies and the number of related images stored on [defendants'] PACS,” comprising “approximately 62 million images associated with 300,000 patients.” (Doc. #28 (“Am. Compl.”) 58). According to plaintiffs, the file names in this list displayed e-PHI, including patient name, date of birth, patient ID (which plaintiffs allege often corresponds to social security number), date of examination, and study description, among other information, such that one accessing the PACS did not need to open an image file to see a patient’s information. According to plaintiffs, defendants’ PACS failed to include basic security features like encryption or passwords, and the list of file names containing e-PHI could be downloaded and saved. On January 10, 2020, plaintiffs allege TechCrunch, an online newspaper, published an article detailing these security weaknesses, uncovered through an analysis by independent cybersecurity researchers. On March 11, 2020, Northeast Radiology issued a press release announcing unauthorized individuals gained access to defendants’ PACS. According to plaintiffs, the release stated at least twenty-nine patients’ information was accessed during the breach, but defendants were unable to determine if other patients’ information on the system was also compromised. Plaintiffs allege they face an ongoing imminent risk of identity theft and fraud because, unlike a credit card, there is no way to cancel e-PHI. As a result, plaintiffs contend they will need to continuously monitor their accounts, purchase credit and identity theft monitoring services, and expend additional time and effort to prevent and mitigate potential future losses. Plaintiffs also allege they would not have used defendants’ services had they known defendants did not employ reasonable security measures. Lastly, plaintiffs claim they suffered an injury-in-fact through defendants’ “intrusion upon their seclusion” because defendants’ insufficient security practices made plaintiffs’ data available for unauthorized access. Plaintiffs bring claims for negligence, negligence per se, breach of contract, breach of implied contract, violation of New York General Business Law Section 349, and “intrusion upon seclusion.” DISCUSSION I. Standard of Review “[F]ederal courts are courts of limited jurisdiction and lack the power to disregard such limits as have been imposed by the Constitution or Congress.” Durant, Nichols, Houston, Hodgson & Cortese-Costa, P.C. v. Dupont, 565 F.3d 56, 62 (2d Cir. 2009).1 “A case is properly dismissed for lack of subject matter jurisdiction under Rule 12(b)(1) when the district court lacks the statutory or constitutional power to adjudicate it.” Nike, Inc. v. Already, LLC, 663 F.3d 89, 94 (2d Cir. 2011), aff’d, 568 U.S. 85 (2013). A court lacks the power to hear a party’s claims when the party does not have standing. Hillside Metro Assocs., LLC v. JPMorgan Chase Bank, Nat’l Ass’n, 747 F.3d 44, 48 (2d Cir. 2014). When deciding whether subject matter jurisdiction exists at the pleading stage, the Court “must accept as true all material facts alleged in the complaint.” Conyers v. Rossides, 558 F.3d 137, 143 (2d Cir. 2009). “However, argumentative inferences favorable to the party asserting jurisdiction should not be drawn,” Buday v. N.Y. Yankees P’ship, 486 F. App’x 894, 895 (2d Cir. 2012) (summary order), and the Court “need not credit a complaint’s conclusory statements without reference to its factual content,” Amidax Trading Grp. v. S.W.I.F.T. SCRL, 671 F.3d 140, 146-47 (2d Cir. 2011). When a defendant moves to dismiss for lack of subject matter jurisdiction and on other grounds, the Court should resolve the Rule 12(b)(1) challenge first. Rhulen Agency, Inc. v. Ala. Ins. Guar. Ass’n, 896 F.2d 674, 678 (2d Cir. 1990). II. Standing Defendants argue plaintiffs do not have standing to bring this action. The Court agrees. A. Legal Standard To satisfy the “irreducible constitutional minimum of standing…[t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). When, as here, “the Rule 12(b)(1) motion is facial, i.e., based solely on the allegations of the complaint…the plaintiff has no evidentiary burden.” John v. Whole Foods Mkt. Grp., Inc., 858 F.3d 732, 736 (2d Cir. 2017). “The task of the district court is to determine whether the [complaint] alleges facts that affirmatively and plausibly suggest that the plaintiff has standing to sue.” Id. An injury-in-fact is “an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. at 339. This is “a low threshold which helps to ensure that the plaintiff has a personal stake in the outcome of the controversy.” John v. Whole Foods Mkt. Grp., Inc., 858 F.3d at 736. To be concrete, an injury “must actually exist.” Spokeo, Inc. v. Robins, 578 U.S. at 340. An intangible harm may be concrete, provided it “has a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2200 (2021). “That inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury,” although it need not be an exact duplicate. Id. at 2204. Regarding statutory harms, it is not enough to allege that a defendant violated the law; “[o]nly those plaintiffs who have been concretely harmed by a defendant’s statutory violation” will have standing. Id. at 2205. “For an injury to be particularized, it must affect the plaintiff in a personal and individual way.” Spokeo, Inc. v. Robins, 578 U.S. at 339. And for an injury to be considered “actual or imminent,” it must be “certainly impending,” or there must be “substantial risk that the harm will occur.” Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014). Plaintiffs seeking injunctive relief to prevent future harm may establish injury-in-fact if they demonstrate “the risk of [future] harm is sufficiently imminent and substantial.” TransUnion LLC v. Ramirez, 141 S. Ct. at 2210. However, “in a suit for damages, the mere risk of future harm, standing along, cannot qualify as a concrete harm — at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210-11. In McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2d Cir. 2021), the Second Circuit articulated a three-factor test for evaluating whether a plaintiff has alleged an injury-in-fact from an increased risk of identity theft or fraud following a data breach: (1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud. Id. at 303. It is unclear whether this analysis is still good law following the Supreme Court’s recent decision in TransUnion. See Bohnak v. Marsh & McLennan Cos., 2022 WL 158537, at *5 (S.D.N.Y. Jan. 17, 2022) (“The TransUnion Court’s rejection of the mere risk of future harm calls into question the continuing validity of McMorris.”); Cooper v. Bonobos, Inc., 2022 WL 170622, at *3 n.1 (S.D.N.Y. Jan. 19, 2022) (applying McMorris because “it is the task of the Second Circuit, not this Court, to determine if McMorris should be overturned”). B. Application Plaintiffs do not allege an injury-in-fact sufficient to confer standing. Plaintiffs argue they suffered an injury-in-fact in four ways: (i) plaintiffs face a substantial and imminent risk of fraud and identity theft; (ii) plaintiffs will be required to spend substantial amounts of time monitoring their accounts for identity theft and fraud; (iii) plaintiffs would not have sought defendants’ services had they known the nature of defendants’ data security practices; and (iv) defendants’ conduct caused unauthorized access by third parties that intruded upon plaintiffs’ seclusion. 1. Future Risk of Fraud and Identity Theft Here, plaintiffs have not alleged third parties misused or attempted to misuse their data. Moreover, because plaintiffs do not allege they are members of the group of twenty-nine patients whose information was determinedly accessed, “allegations that [their] personal information was even accessed is conjecture.” Allison v. Aetna, Inc., 2010 WL 3719243, at *5 (E.D. Pa. Mar. 9, 2010). Plaintiffs need not “wait until they suffer identity theft to bring their claims.” See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 WL 5937742, at *9-10 (D.N.J. Dec. 16, 2021) (facts alleged did not support that plaintiffs’ information stored on a compromised system was accessed, stolen, or misused). Nevertheless, plaintiffs’ allegations that an unauthorized user to defendants’ PACS would have viewed plaintiffs’ e-PHI in the list of file names and “it is extremely likely” that such user would have downloaded a copy are too remote to establish that plaintiffs’ risk of future harm from identity theft is substantial or imminent. (Am. Compl. 61). Claims of conceivable harm without factual support are not sufficient. See Amidax Trading Grp. V. S.W.I.F.T. SCRL, 671 F.3d at 146. Moreover, the McMorris factors support a determination of no injury-in-fact: although plaintiffs allege their data stored on defendants’ PACS was highly sensitive, except for the conclusory allegation that the unauthorized users were “hackers” (Am. Compl.
