Genetic Data AI Training Sparks Class Actions Post-Acquisition

Several recent class actions filed against Tempus AI, Inc. are exposing a fast-growing legal vulnerability in the health technology sector: the repurposing of genetic and clinical data for artificial intelligence model training following corporate acquisitions. The litigation emerged after Tempus AI acquired Ambry Genetics Corporation, a genetic testing firm, in 2025. Plaintiffs allege the company used class members' genetic testing information in ways requiring notice and written authorization, then disclosed that data through commercial life sciences relationships without adequate consent.

This isn't an isolated incident. It's a predictable consequence of a market where data-rich healthcare and diagnostics companies are acquired precisely because of their dataset value—and where acquirers often intend post-close uses that exceed the original collection purposes. The 23andMe bankruptcy serves as a recent high-profile example of the issues that arise when a company holding a large genetic database faces acquisition and questions emerge about whether consent obtained for consumer genetic testing covers the acquirer's intended downstream uses.

According to analysis from Crowell & Moring LLP, the litigation trend reflects an accelerating focus by plaintiffs' lawyers on whether legacy consent language and de-identification practices are legally adequate when sensitive health and genetic data is repurposed for AI training, analytics, and licensing following a corporate transaction. The firm's May 2026 client alert details how organizations holding genetic datasets need to treat data governance as a core enterprise risk issue, not a downstream compliance matter.

Why does this matter practically? Imagine a patient who completes genetic testing for diagnostic purposes. They receive their results, perhaps a PDF report on their computer screen. They never click through a separate consent form for AI training. Years later, their anonymized genetic markers become part of a dataset used to train a machine learning model that gets licensed to pharmaceutical companies. The patient never saw that click-through. They never signed that authorization. But their data is now embedded in algorithms they cannot access, audit, or control.

A recurring theme in these cases is the challenge to de-identification as a practical and legal safeguard for genetic information. Plaintiffs argue that genetic information is uniquely identifying by nature, and that removing conventional direct identifiers may not eliminate re-identification risk. Genetic data can be compared against public reference resources or linked through familial relationships, and in certain circumstances re-identified using inference techniques (a problem that has plagued users for years, frankly).

State laws do not take a uniform approach. Some statutes incorporate HIPAA de-identification concepts—Illinois's Genetic Information Privacy Act, for example, includes a pathway for de-identified information created in accordance with HIPAA requirements. Other state laws, particularly direct-to-consumer frameworks, use different definitions and consent structures entirely. In this environment, organizations should assume that de-identification will be scrutinized both technically and legally. It should be supported by documented methodology, contractual restrictions including anti-re-identification provisions, and jurisdiction-specific analysis.

The regulatory backdrop is expanding rapidly. State legislatures are actively expanding genetic privacy regulation in a consistent direction: more granular consent requirements, stronger restrictions on secondary use and downstream transfer, and meaningful enforcement mechanisms including private rights of action and per-violation damages. Illinois's GIPA remains the most litigation-active statute in this space. South Dakota and Utah both enacted new genetic privacy laws in early 2026, and California is advancing legislation that would add criminal penalties to its existing civil framework.

Connecticut, Rhode Island, and West Virginia have bills in progress covering direct-to-consumer style consent requirements and foreign-adversary access restrictions. Compliance with HIPAA alone is increasingly insufficient, and the scope of HIPAA-based exemptions under state genetic privacy statutes varies materially across jurisdictions. Inside Privacy reports that more than 10 states have enacted genetic privacy legislation to regulate direct-to-consumer genetic testing companies, though the scope of entities regulated by these laws and the related obligations varies from state to state.

For organizations, the action items are clear. Treat AI training as a distinct data use. Consent obtained for clinical or diagnostic purposes should not be assumed to extend to AI model development, commercialization, or licensing. Authorizations should be assessed for whether they affirmatively cover use for AI models and algorithms post-acquisition transfers and third-party commercialization. M&A diligence and integration planning should treat consent scope and state-law compliance as core deal considerations whenever a target holds genetic or genomic data assets that may be used by potential acquirors.

The physical reality of this compliance burden is substantial. Legal teams must audit consent forms that may be decades old. They must map data flows across multiple jurisdictions with conflicting requirements. They must document de-identification methodologies that can withstand both technical and legal scrutiny. They must negotiate contractual restrictions with service providers that include anti-re-identification provisions. This isn't a checkbox exercise. It's a fundamental restructuring of how organizations approach data governance.

Whether users actually pay for this level of protection remains the real question. The market has already demonstrated that genetic data holds significant commercial value. Acquirers are willing to pay premiums for datasets. But the legal infrastructure to govern that value is still catching up. Until state laws converge and courts establish clearer precedents, organizations will operate in a patchwork of conflicting requirements. The litigation risk is real. The compliance costs are mounting. And the data keeps flowing.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn