by Raffaella Aghemo

The new arena where economic and power interests converge in the field of artificial intelligence is the healthcare sector – a critical and structurally sensitive area in which fundamental human rights are intertwined.

Tempus AI is a publicly listed company that recorded a turnover of $1.27 billion in the 2025 financial year, as well as a technology firm dedicated to ‘building innovative technology solutions geared towards products for clinical care and research’, such as ‘Hub’, ‘One’, ‘Now’, ‘Pixel’ and ‘Lens’.

In 2025, Tempus acquired Ambry Genetics for $600 million and, it appears, trained its artificial intelligence model using the genetic data collected by Ambry and all the data from its own genetic library of clinical and molecular data, containing over 45 million anonymized patient records, including 8.5 million research data points, 1 million matched clinical-genomic data sets and 2 million diagnostic images. This asset was then, it appears, sold to over seventy pharmaceutical companies, including AstraZeneca, Bristol Myers Squibb and Pfizer, through agreements worth an estimated $1.1 billion.

«Founded in 1999, Ambry Genetics Corporation (“Ambry”) is a healthcare provider operating throughout the United States. Through its online services, Ambry offers a comprehensive range of genetic tests, with over 300 tests for the screening and diagnosis of hereditary and non-hereditary conditions, such as cancer, heart disease, neurodevelopmental disorders, and other medical conditions». Ambry has amassed its vast amount of genetic data by offering at-home genetic testing kits and laboratories. Ambry’s customers receive at-home genetic testing kits that allow them to send in blood or saliva samples.

Tempus is now facing several class-action lawsuits in the Federal Court in Chicago. The company itself admits: ‘…in its Investor Presentation of 24 February 2025, “Tempus offers germline sequencing (xG) for hereditary risk, using Ambry as a supplier”, “Ambry generates vast amounts of data on approximately 400,000 patients it sequences each year[, and] Tempus can leverage this data to augment its current data offering[,]” and “Ambry’s product line enables Tempus to expand immediately into new categories.”

The complaint, filed on 15 April 2026 against Tempus AI, is set against a backdrop already rife with ambiguity: that of the secondary use of health data and genetic biomarkers as raw material for artificial intelligence systems. This is not an isolated dispute, but a development that highlights a deeper, almost structural problem.

At the heart of the complaint lies an alleged breach of the Illinois Genetic Information Privacy Act (“GIPA”), a law which expressly provides, in Section 15: “that ‘genetic tests and information derived from genetic tests shall be confidential and protected and may be disclosed only to the individual tested and to persons specifically authorized in writing by that individual to receive the information’”, and which attributes a different status to genetic data compared to other health data. It is not merely sensitive; it is considered intrinsically identifying and therefore deserving of enhanced protection. Within this framework, the complaint alleges that the company built up and exploited a wealth of information derived from genetic testing, integrating it into its models and sharing it with industrial partners, without there being explicit and specific consent for such uses.

Page 2 of the complaint states: ‘As a necessary part of the acquisition, Tempus AI compelled Ambry to disclose its vast database of genetic information, including that of the plaintiffs and class members, without the knowledge or written consent of the plaintiffs and class members, in violation of state laws and common law’, a database subsequently resold to over 70 pharmaceutical companies.

Tempus AI has derived enormous profits from its unlawful conduct. Indeed, Tempus AI’s reported turnover rose from $145.8 million in the first quarter of 2024 to $255.7 million in the first quarter of 2025, an increase of 57%. For these reasons, the claimants bring this action, on their own behalf and on behalf of those in similar circumstances, to seek damages, injunctive relief and any other remedy the Court may deem appropriate.”

The class consists of residents of a state other than that of the defendant, there are more than 100 class members, and the total amount in dispute exceeds $5 million, excluding interest and costs.

«Genetic data is among the most sensitive categories of personal data. It is inherently unique to each individual, immutable and predictive of present and future health conditions. Unlike other identifiers, genetic data cannot be altered and, if disclosed, may reveal information not only about an individual but also about their biological relatives. Because genetic data can be used to infer disease risk, ancestry, family history and other deeply personal attributes, its disclosure creates acute and ongoing risks to privacy, discrimination and even personal safety».

The legal crux of the matter is clear: consent obtained in a clinical setting, even when formally valid, cannot automatically be extended to other contexts. Diagnosis, treatment, internal research and commercial development are not the same thing, and treating them as if they were risks rendering consent meaningless. The complaint emphasizes this distinction, making it the central focus of the case.

There is then a more radical argument, concerning the very notion of anonymization. The typical defense in such cases relies on the ‘de-identification’ of data, but the indictment seeks to dismantle this premise by arguing that genetic data, by its very nature, cannot truly be made anonymous. It is not merely a biological sequence: it is a persistent identifier, which retains the ability to be traced back to an individual even when separated from personal details. If this approach were to be accepted, the consequences would be significant, as it would undermine one of the main arguments currently justifying the large-scale secondary use of health data.

Moreover, page 12 of the document states: ‘In 2020, unauthorized individuals breached Ambry’s systems, gaining access to the protected health information of 232,772 patients. Ambry was aware of the identity of the patients concerned because it informed its clients that the breach involved ‘emails and attachments containing sensitive patient data such as names, diagnoses and other medical information, with a subset of patients also having their National Insurance numbers exposed.’

In this context, consent ceases to be a formality and becomes a framework. It is not enough for it to exist; it must be structured in a manner consistent with the actual purposes of the processing. When data enters complex economic circuits, is integrated into predictive models and contributes to the generation of value for third parties, it becomes difficult to argue that generic or implied consent is sufficient. The complaint focuses precisely on this disparity between what the patient authorizes and what subsequently occurs. And the lack of consent aligns well with Count VI of the indictment, namely the alleged violation of the Illinois Consumer Fraud and Deceptive Trade Practices Act.

As if that were not enough, it is further stated that Tempus AI’s conduct created a foreseeable risk of harm to the claimants. Its misconduct included, but was not limited to, its failure to obtain the plaintiffs’ explicit written consent, but even prior to that, at the time when

  1. it compelled Ambry to disclose,
  2. it disclosed as part of the acquisition of Ambry and
  3. it disclosed to third-party partners as part of a series of data-sharing agreements.

At its core, a broader transformation is taking shape. Genetic data are no longer merely clinical tools, but strategic assets. They feed into models, guide pharmaceutical research and build competitive advantages. This shift also alters the legal significance of consent: from a safeguard of individual freedom to a mechanism legitimizing a data economy.

At this point, we must assess the situation and ask ourselves: how does the legitimate defence of privacy, the confidentiality of one’s genetic data, respect for the trust of the client/consumer, and the sacrosanct need to prevent the unjust enrichment of multinationals with dubious business ethics, fit into this new reality, where a system such as the healthcare system is, in fact, the issue of the collective interest, or the benefit that may derive from the aggregated use of this data, for the purposes of personalized medicine and therapeutic innovation?

The significance of this case lies precisely in its ability to highlight a new and inevitable divide: consent, as conceived within the traditional healthcare context, no longer seems sufficient to govern ecosystems in which data circulates, transforms and generates value in ways that patients can scarcely anticipate.

Perhaps today we legal professionals are called upon to think not only in terms of infringement, but also and above all in terms of the adequacy of the legal categories through which we continue to interpret these phenomena.

For those wishing to read the 68-page complaint, here is the link: https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/asset_files/external/tempus-ai-complaint-4-15-26.pdf.

All Rights Reserved

Raffaella Aghemo, Lawyer