Lawsuits over DNA data use

Tempus AI is facing class-action lawsuits that say it took DNA test results from Ambry Genetics patients and used or shared them without clear permission. (bankinfosecurity.com) The cases were filed in the U.S. District Court for the Northern District of Illinois, including one complaint filed April 15, 2026. Plaintiffs say Tempus violated the Illinois Genetic Information Privacy Act, plus other state privacy laws, after acquiring Ambry Genetics. (bankinfosecurity.com) Tempus completed its Ambry acquisition on February 3, 2025, after agreeing in November 2024 to pay $375 million in cash and $225 million in stock. Tempus said the deal would expand inherited-cancer testing and strengthen its data business. (tempus.com) (sec.gov) The complaints center on a simple question: when a lab collects DNA to answer one medical question, can a new owner use that same data for new purposes. Plaintiffs say Ambry’s database held results from more than 2.5 million genetic tests, and that Tempus pushed Ambry to hand over those records after the acquisition. (assets.alm.com) DNA data is unusually sensitive because it is both a medical record and a personal identifier. The National Human Genome Research Institute says genomic privacy requires special protections, and federal research guidance warns that sequence data can sometimes be linked back to people. (genome.gov) (ori.hhs.gov) That makes the fight over “de-identified” data central to these suits. Ambry’s March 19, 2025 notice says data de-identified under Health Insurance Portability and Accountability Act standards is not protected health information under that notice, while plaintiffs argue genetic data remains inherently identifiable. (ambrygen.com) (bankinfosecurity.com) The April 15 complaint says Tempus sold hundreds of thousands of people’s genetic records to more than 70 pharmaceutical and life-science customers in deals allegedly worth $1.1 billion. Tempus said in January that its full-year 2025 revenue was about $1.27 billion, including about $316 million from data and applications. (bankinfosecurity.com) (tempus.com) Tempus has denied wrongdoing. A company spokesperson told GenomeWeb that patient privacy and data security are central to its business and that its operations, including Ambry, are built on “rigorous HIPAA compliance” and high data-protection standards. (genomeweb.com) The legal risk goes beyond one company because molecular testing labs now sit on large archives of blood, tissue, and DNA results collected during routine care. When those archives are bought, merged, or licensed, old consent forms and new data products can collide in court. (nih.gov) (jdsupra.com) For now, the lawsuits are asking for damages and orders blocking further sharing without proper notice and consent. The cases will test whether a genetic-testing database can change hands more easily than the permissions attached to the people inside it. (bankinfosecurity.com)