Key Takeaways
- Putative class actions are increasingly targeting the repurposing and commercialization of genetic data after acquisitions, especially when AI model training and downstream licensing are alleged.
- State genetic‑privacy regimes are expanding rapidly beyond HIPAA, with Illinois, South Dakota, Utah, California and others enacting statutes that impose granular consent requirements, private rights of action, and per‑violation damages.
- De‑identification is under mounting legal and scientific scrutiny; relying on it as a sole safeguard for genetic data is risky and should be supplemented with documented methodology, contractual anti‑re‑identification clauses, and jurisdiction‑specific analysis.
- M & A diligence must treat consent scope and state‑law compliance as core asset constraints that directly affect deal value and post‑close risk when a target holds genetic or genomic data.
Overview of the Emerging Litigation Trend
The recent wave of class‑action lawsuits against Tempus AI, Inc. illustrates a growing legal exposure for health‑care firms that acquire genetic‑testing companies and then seek to monetize the data through AI‑driven analytics. As the article notes, “The complaint alleges that, as a result of the acquisition, Tempus AI used the class members’ genetic testing information in ways that required notice and written authorization, and that their data was later disclosed through commercial life‑sciences relationships without adequate consent.” Plaintiffs’ counsel are focusing on whether legacy consent language and standard de‑identification practices remain valid when data originally collected for diagnosis or treatment is later repurposed for model training, analytics, and licensing after a corporate transaction.
Why the Tempus AI Cases Matter
Tempus AI’s 2025 acquisition of Ambry Genetics Corporation set the stage for the litigation. The plaintiffs argue that the acquirer’s intended post‑close uses—training AI models, generating analytical insights, and entering commercial partnerships—went far beyond the purposes for which patients originally consented to have their genetic data collected. This pattern is not isolated; the 23andMe bankruptcy highlighted similar tensions when a large consumer‑genetic database faced acquisition and questions arose about whether the original consent covered the acquirer’s downstream plans. The lawsuits thus serve as a bellwether for any deal where the value of a target lies primarily in its data assets.
The Limits of De‑Identification in Genetic Contexts
A recurring theme in the complaints is the challenge to de‑identification as a sufficient safeguard. Plaintiffs contend that “genetic information is uniquely identifying by nature, and that removing conventional direct identifiers may not eliminate re‑identification risk, particularly when genetic data can be compared against public reference resources or linked through familial relationships, and in certain circumstances re‑identified using inference techniques.” Moreover, they pair this scientific argument with statutory theories that, depending on the jurisdiction, may impose consent, use, and disclosure restrictions even on data labeled as de‑identified. Because state laws diverge—some incorporate HIPAA de‑identification pathways (e.g., Illinois’s Genetic Information Privacy Act), while others adopt entirely different definitions for direct‑to‑consumer data—organizations cannot assume that HIPAA‑level de‑identification will satisfy all applicable statutes.
State Genetic‑Privacy Regulation: A Rapidly Expanding Landscape
State legislatures are actively broadening genetic‑privacy protections in a uniform direction: more granular consent requirements, stricter limits on secondary use and downstream transfer, and meaningful enforcement mechanisms such as private rights of action and per‑violation damages. Illinois’s GIPA remains the most litigation‑active statute in this arena. South Dakota and Utah both enacted new genetic‑privacy laws in early 2026, and California is advancing legislation that would add criminal penalties to its existing civil framework. Meanwhile, Connecticut, Rhode Island, and West Virginia have bills pending that address direct‑to‑consumer style consent and foreign‑adversary access restrictions. As the article warns, “Compliance with HIPAA alone is increasingly insufficient, and the scope of HIPAA‑based exemptions under state genetic privacy statutes varies materially across jurisdictions.”
Practical Action Items for Organizations Holding Genetic Data
To mitigate risk, firms should treat AI training as a distinct data use and not assume that consent granted for clinical or diagnostic purposes automatically extends to model development, commercialization, or licensing. Authorizations must be examined for explicit coverage of post‑acquisition AI uses and third‑party commercialization.
Next, organizations need to reassess their de‑identification positions. This entails evaluating methodologies, validation practices, access controls, and downstream contractual restrictions for consistency across public statements, privacy notices, and technical implementation—and measuring them against the specific state statutes that govern the data, not merely the HIPAA benchmark.
Reviewing commercial agreements with life‑sciences partners is also essential. Key provisions should include purpose limitations, restrictions on onward transfer, audit rights, breach‑notification obligations, compliance with applicable federal and state legal requirements (including state genetic‑privacy statutes), and clear allocation of responsibility for patient‑authorization representations.
Finally, building state‑law compliance into data‑governance programs requires mapping genetic‑data flows against applicable statutes on a jurisdiction‑by‑jurisdiction basis and recognizing that HIPAA compliance alone does not satisfy the evolving legal environment.
Addressing Genetic Data in M & A Diligence
When an acquirer’s intended post‑close uses diverge from the target’s historic uses, the consent mismatch becomes a predictable litigation flashpoint. Diligent teams should treat consent scope and state‑law compliance as asset constraints that directly influence deal valuation and post‑close risk. This means conducting privilege‑protected assessments of genetic and clinical data flows used in AI development, performing multi‑state genetic‑privacy compliance reviews, and incorporating transaction diligence playbooks that flag any gaps between legacy consents and planned downstream activities.
Conclusion and How Professional Advisors Can Help
Navigating this complex terrain demands a proactive, integrated approach to data governance. Specialized privacy, cybersecurity, and life‑sciences teams can assist organizations by conducting privilege‑protected assessments of data flows used in AI development, performing multi‑state genetic‑privacy compliance reviews, drafting transaction diligence playbooks for health‑data assets, and negotiating data‑sharing and AI partnership agreements that incorporate robust purpose‑limitation and anti‑re‑identification clauses. They also help clients build defensible governance programs—complete with documentation, vendor oversight, and incident readiness—that are designed to withstand both litigation and regulatory scrutiny. By treating genetic data as a core enterprise‑risk issue rather than an after‑thought compliance matter, companies can better protect patient trust, preserve deal value, and stay ahead of the rapidly evolving legal landscape.
https://www.crowell.com/en/insights/client-alerts/genetic-data-and-artificial-intelligence-training-following-acquisitions-emerging-litigation-risk-and-a-rapidly-expanding-state-regulatory-landscape