Two separate putative class actions filed in February 2026 allege that Tempus AI unlawfully shared genetic information from 75 pharmaceutical and biotechnology companies after acquiring Ambry Genetics in early 2025, despite assuring patients their data would remain de-identified. The lawsuits, consolidated in the U.S. District Court for the Northern District of Illinois, challenge Tempus’s claim that genetic data can be meaningfully de-identified when the company simultaneously markets technology that enables third parties to identify patients and track their position in the healthcare journey.
The core dispute centers on a fundamental contradiction: Tempus told patients their genetic information would be de-identified for research sharing, yet genetic databases inherently retain enough information to re-identify individuals when linked with other datasets or external information sources. The allegations come as genetic testing companies face increasing scrutiny over how they handle sensitive health information.
Table of Contents
- What Happened When Tempus AI Acquired Ambry Genetics?
- The Illinois Genetic Information Privacy Act and Consent Requirements
- Why “De-Identified” Genetic Data Can Be Re-Identified
- The Network of 75 Third-Party Recipients
- The Ambry Data Breach and Pre-Existing Vulnerability
- The Legal Claims and Damages Sought
- What This Means for Genetic Privacy and the Future of Data Sharing
What Happened When Tempus AI Acquired Ambry Genetics?
In early 2025, Tempus AI completed a $600 million acquisition of Ambry Genetics, a genetic testing company that maintained an extensive database of genetic information from patients who had undergone genetic testing. The acquisition transferred Ambry’s entire genetic database to Tempus AI—a transfer that, according to the lawsuits, occurred without obtaining renewed written authorization from the data subjects whose genetic information was being transferred. Under the Illinois Genetic Information Privacy Act (GIPA), genetic information cannot simply be transferred from one company to another without explicit consent from individuals. The acquisition raised a critical compliance question: when a company possessing sensitive health data is acquired, does the acquiring company inherit the right to use that data the way the original company did, or must it obtain fresh authorization from affected individuals? According to the plaintiff allegations, Tempus AI treated the Ambry database as if it could be used without renewed consent.
Instead of reaching out to Ambry’s past patients to explain the acquisition and obtain fresh authorization, Tempus AI began sharing genetic information with 75 third parties in the pharmaceutical and biotechnology sectors. This approach differs fundamentally from how medical records are typically transferred. For example, when a patient’s medical records move from one healthcare provider to another, the new provider generally must still comply with the original consent forms. The lawsuits argue that Tempus AI’s approach bypassed this foundational principle, treating a $600 million acquisition as a license to repurpose data for new commercial relationships.
The Illinois Genetic Information Privacy Act and Consent Requirements
Illinois’s Genetic Information Privacy Act (GIPA) is one of the strictest state laws protecting genetic privacy. The law requires written authorization before genetic information can be disclosed to third parties—and this authorization must be specific about how the data will be used. GIPA distinguishes between using genetic information for the original healthcare or research purpose and using it for something entirely new. The key vulnerability in Tempus AI’s legal position is that even if Ambry Genetics had obtained valid consent from patients to share de-identified genetic data for research, that consent may not have extended to Tempus AI sharing the same data with 75 commercial pharmaceutical and biotechnology companies for their own proprietary purposes.
Plaintiffs argue that Tempus AI’s use of the data exceeded the scope of the original Ambry consent forms. This matters because GIPA requires affirmative written consent for each distinct use or recipient of genetic information. If patients consented to “research sharing with academic institutions,” that consent does not automatically extend to “commercial sharing with drug manufacturers.” A critical limitation of GIPA, however, is that it applies only to genetic information collected in Illinois and only applies to entities with a presence in Illinois. This means that out-of-state genetic testing companies may face less stringent requirements, which is why many genetic testing companies have faced privacy challenges—the landscape of genetic privacy law is fragmented across states, with no uniform federal protection comparable to HIPAA for medical records.
Why “De-Identified” Genetic Data Can Be Re-Identified
At the heart of the dispute lies a technical and legal distinction that most people find counterintuitive: a dataset can be “de-identified” (stripped of obvious identifiers like name and Social Security number) while remaining “re-identifiable” (susceptible to being linked back to specific individuals through other information). Genetic data presents a particularly acute re-identification risk because genetic information is inherently biometric—it is unique to each individual and will match that person’s DNA found in other databases, law enforcement records, consumer genealogy databases, or even trace genetic information in family members’ records. The plaintiffs’ legal position argues that genetic information cannot be meaningfully de-identified because of this fundamental characteristic. Even if Tempus AI removed names and medical record numbers from the genetic data before sharing it with pharmaceutical companies, that genetic information itself remains a permanent identifier.
A geneticist or researcher who receives this “de-identified” genetic data could, in theory, cross-reference it against public genealogy databases, law enforcement DNA databases, or other genetic repositories to determine whose DNA it is. This is not hypothetical—researchers have published studies demonstrating that genetic profiles can be re-identified through cross-referencing with publicly available genealogy databases. The lawsuits specifically allege that Tempus AI’s own marketing materials undermine its de-identification claims. Tempus marketed services to pharmaceutical companies that explicitly promised to help them “identify patients and contextualize where they are in the care journey.” This language suggests that Tempus was providing tools that enable patient identification—directly contradicting the assertion that the genetic data was de-identified. If the data cannot be identified, how could Tempus offer identification services to its pharmaceutical clients?.
The Network of 75 Third-Party Recipients
The lawsuits name 75 pharmaceutical and biotechnology companies as recipients of the shared genetic data. These recipients are not listed in the public filings, but the class action makes clear that the genetic information was distributed broadly across the commercial drug development ecosystem. Each of these 75 companies received genetic information from thousands of patients without those patients’ explicit consent to share with that specific entity. The concern extends beyond simple data privacy to questions about competitive advantage and research exploitation.
When a pharmaceutical company receives genetic data from thousands of patients without their knowledge, it can use that data to develop new drugs, design clinical trials, or segment patient populations for targeted marketing of treatments. Patients whose genetic information was shared received no compensation or notification that their data was being used in this way. Meanwhile, the companies receiving the data gained significant research and commercial value—information that could lead to billions of dollars in drug sales—without paying those patients for the use of their genetic information. A comparison illustrates the asymmetry: if a pharmaceutical company wanted to hire 1,000 patients as research subjects to provide DNA samples for drug development, it would need to pay them, obtain their informed consent, and likely enroll them in a formal clinical trial. Yet by receiving the data through Tempus AI, that same company obtained genetic information from thousands of patients with no direct negotiations, no payment, and no individual consent process.
The Ambry Data Breach and Pre-Existing Vulnerability
Adding urgency to the re-identification concerns is the fact that Ambry Genetics had previously suffered a data breach. The prior Ambry breach demonstrated that the company maintained links between genetic data and personal identifiers—meaning the genetic information was not actually de-identified in Ambry’s systems. If someone with access to Ambry’s databases could see which genetic profiles were linked to which patients, then any shared genetic data derived from those profiles could be considered inherently re-identifiable. This history is significant because it suggests that when Tempus AI acquired Ambry’s database, it inherited not just genetic information but potentially also the infrastructure and practices that made that genetic information vulnerable to re-identification.
The lawsuits argue that Tempus AI should have known, based on Ambry’s prior breach, that genetic data in these systems could not be reliably de-identified. Yet Tempus proceeded to share it anyway. Also, if Ambry’s breach records are still accessible to bad actors or have been publicly disclosed on dark web marketplaces, then some of the genetic information Tempus AI shared may already be linked to identifiable individuals through that previous breach. This creates a cascading privacy risk: not only does Tempus’s sharing violate GIPA, but it compounds an existing vulnerability in the genetic data that was already exposed through Ambry’s breach.
The Legal Claims and Damages Sought
The two class actions were filed on February 13, 2026, in the U.S. District Court for the Northern District of Illinois, consolidated under Case 1:2026cv01688. The plaintiffs seek statutory damages of $15,000 per violation for intentional or reckless violations of GIPA, and $2,500 per violation for negligent violations. Given that thousands of patients likely had their genetic information shared with 75 different third parties, the potential damages exposure is substantial.
If a single patient’s genetic data was shared with 75 companies without consent, that could constitute 75 separate violations, each carrying a potential $15,000 damage award. Beyond monetary damages, the plaintiffs seek injunctive relief—court orders requiring Tempus AI to stop the unlawful sharing and implement safeguards to prevent future disclosures. They also seek recovery of attorneys’ fees and the costs of notifying affected class members. The plaintiffs are pushing for class certification, which would allow thousands of affected individuals to pursue claims collectively rather than requiring each patient to file an individual lawsuit.
What This Means for Genetic Privacy and the Future of Data Sharing
The Tempus AI case highlights a growing tension in the medical research ecosystem: genetic databases are valuable research resources, yet patients often don’t understand how broadly their genetic information will be shared once they provide a DNA sample. Companies view genetic data as a valuable commodity for drug development and precision medicine research. Patients often see genetic testing as a personal health tool, not realizing their DNA may end up in commercial research databases.
The lawsuits suggest that courts may take an increasingly skeptical view of “de-identification” claims when applied to genetic data. If this case proceeds to judgment and plaintiffs prevail, it could establish that genetic information is categorically difficult or impossible to truly de-identify, which would impose stricter consent requirements on genetic testing companies. This could slow the pace of genetic research and drug development—a tradeoff between patient privacy and the speed of biomedical innovation. For now, the case represents a test of whether GIPA provides meaningful protection for genetic privacy, or whether the law’s consent requirements can be sidestepped through the acquisition and re-sharing of existing databases.