Tempus AI Faces Class Action Over Ambry Genetics Data Use Amid Rising State Genetic Privacy Laws

Context In early 2025 Tempus AI, a health‑technology firm that combines artificial intelligence with molecular and clinical data, completed its acquisition of Ambry Genetics, a clinical‑testing laboratory that generates large volumes of patient‑derived genetic information. The deal gave Tempus access to Ambry’s repository of hereditary‑cancer and pharmacogenomic test results, which the plaintiff alleges were repurposed to train proprietary AI models and to share with life‑science partners. At the same time, state legislatures are moving beyond the federal HIPAA baseline to create stricter genetic‑privacy frameworks. Utah and South Dakota passed new statutes in 2024 that require explicit consent for secondary use of genetic data and provide private rights of action. Illinois, California, and several other states have bills under consideration that would impose similar consent, use‑restriction, and enforcement provisions. Plaintiffs in the Tempus case argue that genetic data is inherently identifiable, so removing conventional identifiers does not eliminate re‑identification risk. They contend that Tempus relied on de‑identification alone, which, according to the complaint, fails to satisfy the newer state laws that treat genetic information as personally identifiable regardless of technical masking.

Key Facts - The lawsuit alleges that Tempus used Ambry’s genetic data for AI training and commercial life‑sciences sharing without obtaining the notice and written authorization required under the relevant state statutes. - Utah and South Dakota have enacted genetic‑privacy laws with enforcement mechanisms; Illinois, California, and additional states are advancing comparable legislation. - The plaintiffs’ claim hinges on the assertion that genetic data cannot be truly de‑identified, a position supported by recent scientific analyses showing that genomic sequences can be linked to individuals through public databases or familial inference.

What It Means For companies holding genetic datasets, the case underscores that consent scope must be revisited after any acquisition; legacy language that covered only diagnostic use may not authorize AI‑model development or commercial sharing. De‑identification alone is unlikely to satisfy emerging state rules, so firms should document their de‑identification methodology, embed contractual anti‑re‑identification clauses, and conduct jurisdiction‑specific legal reviews before repurposing data. Investors and partners should scrutinize data‑governance practices during due diligence, treating genetic privacy as a core enterprise risk rather than a downstream compliance checkbox. To watch: forthcoming rulings on the Tempus class action, the outcome of pending state bills in Illinois and California, and any settlements that could set precedents for how post‑acquisition AI training is regulated.