On February 13, 2026, a putative class filed a Complaint in the U.S. District Court for the Northern District of Illinois alleging that Tempus AI, Inc. (“Tempus AI”) violated the Illinois Genetic Information Privacy Act (410 ILCS 513/1 et seq., “GIPA ”). The plaintiffs claim Tempus AI unlawfully obtained and disclosed genetic information belonging to customers of Ambry Genetics Corporation (“Ambry Genetics”) in connection with Tempus AI’s February 2025 acquisition of 100% of Ambry’s equity.
The lawsuit highlights two core issues: (1) whether an acquiring company may lawfully access a target’s sensitive genetic data without renewed written authorization from the applicable individuals, and (2) whether genetic data can ever be meaningfully de-identified.
GIPA
GIPA is Illinois’s primary statute governing the collection, use, and disclosure of genetic information. It is designed to prevent unauthorized use or disclosure of genetic data and to prohibit discrimination based on genetic information, particularly in employment and insurance.
GIPA applies broadly to any person or entity that collects, uses, stores, or discloses genetic test results, unless a statutory exception applies. Genetic information may only be released to the tested individual unless that person provides specific written authorization. Further, any recipient of genetic information is prohibited from redisclosing it unless the Act expressly permits it or the individual authorizes it.
GIPA provides a private right of action to anyone aggrieved by a violation. Plaintiffs must show actual harm, but damages range from $2,500 to $15,000 per violation depending on whether the conduct was negligent, reckless, or intentional.
The Complaint
According to the Complaint, Tempus AI required Ambry Genetics to transfer its entire database of genetic information, including the plaintiffs’ data, as part of the acquisition, but did not obtain the written authorizations GIPA requires prior to doing so. Plaintiffs further allege that Tempus AI disclosed this genetic information to 75 third parties, including pharmaceutical and biotechnology companies, again without required consent. The plaintiffs seek statutory damages, injunctive relief to prevent further disclosures, attorneys’ fees, and certification of both a nationwide class and an Illinois subclass.
The DNA De-Identification Problem
Tempus AI and Ambry publicly state, through the Tempus AI “Consumer Health Privacy Notice” and Ambry Genetics’ “Notice of Privacy Practices” that they disclose only “de-identified” genetic data and may use such de-identified data for any lawful purpose.
The Complaint challenges this position. Plaintiffs argue Ambry’s prior data breach shows Ambry maintained links between genetic data and personal identifiers, demonstrating that the data was not truly de-identified. Plaintiffs also rely on a Federal Trade Commission Biometric Information Policy Statement stating the “[b]iometric information also includes data derived from such depictions, images, descriptions, or recordings [of genetics], to the extent that it would be reasonably possible to identify the person from whose information the data had been derived.” The FTC doubled down on this assertion in a (now removed) post titled “The DNA of Privacy and the Privacy of DNA” stating, “While some other data types can be stripped of identifying characteristics, that’s not necessarily the case when it comes to genetic information.” Because DNA reveals information about an individual and their relatives, plaintiffs contend that genetic data cannot ever be “de-identified” in the conventional sense.
Key Takeaways
Businesses handling genetic information–or acquiring companies that inherit it–should consider the following:
- Strict compliance is essential. State genetic privacy statutes, not just Illinois’s, impose stringent requirements on the handling and disclosure of genetic data.
- M&A diligence must include genetic privacy risk. Acquirers must evaluate whether genetic information can legally be transferred and whether individual authorizations are required.
- De-identification may not be a safe harbor. Genetic data may be treated as inherently identifiable, making reliance on de-identification risky.
- Public privacy statements matter. Inaccurate or overly broad claims about de-identification or data practices can create liability.
- The financial exposure is significant. Statutory damages, especially aggregated across a class, can be substantial, and some state laws that are similar to GIPA impose criminal penalties.
- Security obligations persist post-acquisition. Prior breaches and the re-linkability of genetic data underscore the need for robust privacy and security programs.
For more information about how genetic data can be shared by businesses see: To Delete or Not to Delete: Can 23andMe Really Sell Genetic Data Via Bankruptcy?
For more information on privacy and cybersecurity obligations affecting healthcare organizations, please contact Alston & Bird’s Privacy, Cyber, and Data Strategy Team or Health Care Team, and sign up for alerts at AlstonPrivacy.com.
