Genetic Data and Artificial Intelligence Training Following Acquisitions: Emerging Litigation Risk and a Rapidly Expanding State Regulatory Landscape

Genetic Data and Artificial Intelligence Training Following Acquisitions: Emerging Litigation Risk and a Rapidly Expanding State Regulatory Landscape

https://www.crowell.com/en/insights/client-alerts/genetic-data-and-artificial-intelligence-training-following-acquisitions-emerging-litigation-risk-and-a-rapidly-expanding-state-regulatory-landscape

Publish Date: 2026-05-07 04:03:00

Source Domain: www.crowell.com

• Emerging Litigation on Genetic Data Repurposing: Several class actions have been filed against Tempus AI, highlighting the legal risks of repurposing genetic and clinical data for AI without adequate consent post-acquisition.

• Broader Litigation Trend: These lawsuits reflect a growing trend of plaintiffs’ lawyers scrutinizing the legality of repurposing sensitive health and genetic data for AI training and commercialization following company acquisitions.

• Challenges with De-Identification: Recent legal cases argue that de-identification alone is insufficient to protect genetic data, which is inherently identifying and can be re-identified through public databases or familial links.

• Expanding Genetic Privacy Regulation: Numerous state legislatures are enacting stricter genetic privacy laws with more granular authorization and stronger restrictions on secondary uses, beyond the HIPAA standard.

• Data Governance as a Core Risk: Organizations are advised to incorporate data governance into their core risk management strategy, especially concerning genetic data use for AI purposes.

• Distinct AI Data Use Considerations: Organizations should treat AI model training separately from the initial data consent obtained for diagnostic or treatment purposes.

• Reassessing De-Identification Practices: Organizations must reevaluate de-identification methods, access controls, and legally compliant practices tailored to the state governing their data.

• Comprehensive M&A Diligence: M&A due diligence should include an assessment of consent scope and state-law compliance, particularly when acquiring targets with genetic data assets.

• Organizations Need Tailored Compliance Programs: Organizations holding genetic datasets need tailored compliance programs incorporating jurisdictional legal requirements and more than just HIPAA standards.