Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data

Posted by Steve Alder

Tempus AI, a publicly traded healthcare artificial intelligence company, is facing multiple class action lawsuits over the alleged unauthorized collection and disclosure of genetic testing results, which were derived from genetic testing by Ambry Genetics Corporation (Ambry Genetics).

Ambry Genetics offers comprehensive genetic testing services, including screening and diagnosis of inherited and non-inherited diseases. Tempus AI was founded in 2015 and builds tech solutions around clinical care and research products. In February 2025, Tempus AI acquired Ambry Genetics for $600 million, and as a condition of the acquisition, Ambry Genetics was required to disclose its vast database of genetic data to Tempus AI. The database contained the genetic information of hundreds of thousands of individuals.

Tempus AI used Ambry Genetics’ genetic database to train its AI models. Tempus AI had signed agreements with more than 70 companies, including large and mid-sized pharmaceutical firms such as AstraZeneca, Bristol Myers Squibb, Pfizer, and GlaxoSmithKline, and biotechnology firms such as Incyte, Servier, Aspera Biomedicines, and Whitehawk Therapeutics. Genetic data derived from Ambry Genetics testing services was provided to those clients under those agreements.

Several class action lawsuits were filed against Tempus AI over the use of genetic data to train the AI models and the subsequent disclosures of genetic data. The lawsuits were consolidated into a single complaint – Farrier et al v. Tempus AI, Inc. – on April 15, 2026, in the U.S. District Court for the Northern District of Illinois. The lawsuit alleges that Tempus AI violated the Illinois Genetic Information Privacy Act (GIPA) and other state statutes by compelling Ambry Genetics to disclose the genetic data collected through its testing services and violating the same laws by disclosing the genetic data through its agreements with third-party partners. The lawsuit claims that Tempus AI has profited enormously from selling genetic data without the knowledge or written consent of the data subjects. The lawsuit alleges that the class members’ genetic data was disclosed to those clients in deals totaling $1.1 billion.

Tempus AI claims to have a clinical and molecular data library consisting of 45 million de-identified patient records, including 8.5 million clinical records, 2 million medical images, and 1 million matched clinical-genomic records. The lawsuit alleges that Tempus AI and Ambry Genetics misled the public by claiming that they only disclose de-identified genetic information, when that is not the case. Further, the lawsuit claims that genetic information “cannot be deidentified because such data serves as an inherently unique biomarker,” and like DNA, the information is inherently identifiable.

The 21-count lawsuit asserts claims for negligence, unjust enrichment, fraudulent concealment, Conversion, invasion of privacy-intrusion upon seclusion, breach of contract, breach of implied contract, breach of fiduciary duty, and violations of consumer and data protection laws, deceptive trade practices laws in California, Florida, Georgia, Illinois, Michigan, New York, and West Virginia.

The plaintiffs seek a jury trial and damages, injunctive relief, and any other remedies that the Court deems appropriate to redress Tempus AI’s alleged unlawful and unauthorized data collection and disclosures, including an order from the court compelling Tempus AI to cease sharing individuals’ genetic data without first providing the data subjects with proper notice and obtaining their written consent.

The post Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data appeared first on The HIPAA Journal.

Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M

Posted by Steve Alder

A class action lawsuit filed against Absolute Dental Group, LLC, and Judge Consulting, Inc., over a 2025 data breach has been settled for $3,300,000. Absolute Dental is a Nevada-based dental care provider, and Judge Consulting is a provider of technology consulting, staffing solutions, and corporate training services. Absolute Dental contracted with Judge Consulting as its managed services provider and was responsible for the daily management and operations of Absolute Dental’s IT systems.

Absolute Dental identified suspicious activity within its network on February 26, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network between February 19, 2025, and March 5, 2025. Access was gained through an account associated with Judge Consulting. The hackers had access to names, contact information, Social Security numbers, driver’s license numbers, health information, health insurance information, financial information, and other sensitive data. The data breach was one of the largest of the year, affecting 1,223,635 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Jordan et al. v. Absolute Dental Group, LLC, et al., – in the U.S. District Court for the District of Nevada. The lawsuit alleged that the defendants failed to adequately secure patient data, failed to properly monitor their systems for intrusions, and failed to provide timely notice to the victims of the breach. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of fiduciary, breach of confidence, invasion of privacy, violations of the Nevada Privacy of Information Collected on the Internet From Consumers Act, and declaratory and injunctive relief.

Following mediation, the plaintiffs and the defendants agreed to a settlement that was acceptable to all parties, with no admission of wrongdoing, fault, or liability by the defendants. A $3,300,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the five class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members.

Class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative pro rata cash payment, the value of which will depend on the number of valid claims received. Residents of California at the time of the data breach also qualify for an additional cash payment. The deadline for objection to and exclusion from the settlement is June 9, 2026. Claims must be submitted by June 18, 2026, and the final approval hearing has been scheduled for July 30, 2026.

The post Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M appeared first on The HIPAA Journal.

OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism

Posted by Steve Alder

A proposal to allow the Office of Personnel Management (OPM) to collect the personally identifiable health information of federal employees and their family members has attracted strong criticism due to privacy and security risks, and the potential for HIPAA violations and data misuse.

Per the December 12, 2025, notice about the information collection request (ICR) – Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) Programs Service Use and Cost Data – OPM requires insurance carriers to submit FEHB and PSHB program claims data to OPM. Under the proposal, insurance carriers are required to make monthly submissions of claims-level data, including the protected health information of current and former federal workers and their family members, including personal identifiers. According to OPM, the data will “enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans.”  While there are clear benefits to be gained from collecting and analyzing the data, such as lowering costs and improving care quality, the proposal has raised significant privacy and security concerns.

The Trump administration is seeking unprecedented access to workers’ medical information– information protected under the Health Insurance Portability and Accountability Act (HIPAA). The data being sought is not government data; it is protected health information maintained by HIPAA-regulated entities. Information submitted to OPM under the proposal would populate a government database, but OPM has failed to fully explain exactly how that information will be used, maintained, and protected. As such, there are legitimate concerns that the requested data may be used for reasons other than the stated purpose, especially given the Trump administration’s attempts over the past 12 months to obtain personal information from the Social Security Administration and the Internal Revenue Service.

“OPM is collecting service use and cost data from FEHB and PSHB Carriers, including medical claims, pharmacy claims, encounter data, and provider data. This data will enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans,” explained OPM in the notice. “OPM requires Carriers to report necessary information and permit audits and examinations to manage the FEHB Program effectively.”

In the notice, OPM explains that under HIPAA, covered entities such as health plans are permitted to disclose protected health information – including service use and cost data – to health oversight agencies, including OPM, for oversight activities authorized under 45 CFR 165.512(d)(1). The notice calls for 65 carriers to make ongoing, monthly submissions of claims-level data and quarterly manufacturer rebate data for federal employees and retirees. The carriers hold data for more than 8 million Americans, including federal workers, mail carriers, retired members of Congress, and their immediate family members.

The use of such broad terms for data categories has set alarm bells ringing. OPM will potentially be provided with a huge volume of sensitive, personally identifiable information, including information about treatments sought and received. Encounter data, for instance, could potentially encompass full medical records and doctors’ notes, information over and above what is necessary for the stated health oversight activities.

De-identified data could potentially be used to achieve the stated purpose, but OPM makes no mention of stripping out personal identifiers. As such, there are legitimate concerns from privacy groups that OPM could create a huge database of highly sensitive information that could easily be misused. For instance, for targeting specific employees based on the healthcare services they sought and received, or assisting the administration with its DEI, gender-affirming care, and reproductive health care initiatives, or any other healthcare services being targeted.

Aside from the potential for data misuse, the proposal will create significant compliance and legal risks for the carriers. OPM states in the notice that the HIPAA Privacy Rule permits disclosures of protected health information for health oversight activities, but requests a broad swathe of protected health information, the provision of which will likely violate the minimum necessary standard.  The minimum necessary standard – 45 CFR 164.502(b), 164.514(d) – applies to data disclosed for health oversight activities. “When using or disclosing protected health information or when requesting protected health information… a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

In its current form, the proposal lacks detailed information about the purpose for the disclosure, and the broad categories of data requested will require carriers to walk a HIPAA compliance tightrope. While the Trump administration may have no intention of enforcing HIPAA compliance regarding the OPM data disclosures, future administrations may take an entirely different view, and the data disclosures will expose carriers to significant legal risk. It is currently unclear how carriers intend to comply with the proposal.

While HIPAA permits disclosures of protected health information for health oversight activities, they are not required disclosures under HIPAA. Carriers may choose to only disclose information that they deem appropriate and necessary, although, without further detail about the exact purposes for the disclosures, it will be difficult to determine what information is appropriate and necessary, and the compliance and administrative burden would be significant.

In addition to concerns about protected health information being provided to the government and how that information will be used, concerns have been raised about OPM’s ability to protect a database of highly sensitive protected health information, given the extent to which government entities are targeted by threat actors, and OPM’s and the Trump administration’s history of safeguarding sensitive data. OPM experienced two massive data breaches in 2015, one involving the personal information of 4.2 million current and former federal employees and another involving the theft of the personal records of more than 22 million Americans. The Chinese government is alleged to have been behind the attacks.

The proposal has attracted significant criticism. The Association of Federal Health Organizations (AFHO) points out that this is not the first time that OPM has sought to establish a healthcare claims data warehouse, having made a similar proposal in 2010. The same HIPAA compliance concerns that were voiced 16 years ago still apply to the latest proposal. AFHO had argued that only de-identified data should be shared; however, today, the sharing of de-identified data with OPM carries significant compliance risks. AFHO is concerned that, given the detailed information OPM already has on enrolees and their family members, there is a risk that de-identified data could be re-identified, and the HIPAA Privacy Rule does not permit the sharing of de-identified data when there is a risk of reidentification. AFHO suggests an agreement between OPM and the CMS to use the CMS edge server system to query data, thereby eliminating the risk of re-identification, or to enter into a contract with the Health Care Cost Institute, which could translate raw data into actionable insights.

Robert H. Shriver, III, Managing Director of Civil Service Strong, a project of Democracy Forward Foundation, voiced strong opposition to ICR. Specifically, due to the failure of OPM to justify the proposed data collection and clearly state exactly how the data will be used, the failure to explain how data will be safeguarded, and the risk of data abuse. “OPM’s ICR is especially concerning given the Trump-Vance Administration’s explicit contempt for federal workers and its pattern of recklessness with highly sensitive data,” wrote Shriver in comments in response to the ICR notice. He said the Trump administration has demonstrated that it cannot be trusted with sensitive data, citing the recent admission by the Trump administration that sensitive Social Security Administration data was sent to unauthorized individuals, shared on nongovernmental servers, and, through DOGE activities in particular, it is “playing fast and loose with government data.”

Jonathan Foley, a former OPM employee who advised on the FEHB program under the Obama and Biden administrations, believes there are valuable benefits to be gained from collecting and analysing personally identifiable data, but warned of the considerable potential for data misuse and the privacy risks. In his comments in response to the notice, Foley said the Trump administration has a poor record of properly handling sensitive information and has attempted to link identifiable data across federal programs and use it for reasons unrelated to the original purpose for which the data was collected. Foley suggests that de-identified data could be collected and maintained by a trusted entity other than OPM, with guardrails preventing federal authorities from demanding direct access to the data from that trusted entity. CVS Health suggests that OPM should convene a stakeholder working group to determine the specific data elements required to support the requested goals and to establish a consistent reporting framework.

Most recently, on April 17, 2026, a group of 16 Democratic members of the House Oversight Committee wrote to OPM Director Scott Kupor and Office of Management and Budget Director Russell Vought, calling for the withdrawal of the proposed plan due to the potential for data misuse, HIPAA violations, and concern that OPM lacks the necessary safeguards to responsibly protect sensitive data. “More than 8 million Americans receive health insurance under the FEHB and PSHB programs, including federal workers, mail carriers, and their immediate family members. They should be able to make medical decisions in consultation with their doctors—not the federal government,” wrote the senators. “We therefore demand that OPM halt all plans to collect private health insurance data and provide a briefing on the decision to enact this policy.” The senators have asked the Directors to explain the decision to obtain such an expansive dataset without any guardrails or protections for employee privacy.

The post OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism appeared first on The HIPAA Journal.

Minidoka Memorial Hospital Recovering from Easter Cyberattack

Posted by Steve Alder

Minidoka Memorial Hospital was the victim of a cyberattack on Easter morning, and two further healthcare providers have confirmed they have been affected by the data breach at business associate Doctor Alliance: A Path of Care Home Health and Hospice and Team Select Holdings.

Minidoka Memorial Hospital, Idaho

Minidoka Memorial Hospital in Rupert, Idaho, has confirmed media reports of a cybersecurity incident. On April 17, 2026, Minidoka Memorial Hospital issued a statement on its Facebook page confirming that it experienced a cyber incident on Easter morning that temporarily impacted some of its computer systems.

While the incident did not prevent the hospital from providing care to patients, certain emergency patients were transferred to Intermountain Health Cassia Regional Hospital due to the inability to access certain medical imaging systems. Full access to those systems was restored on April 19, 2026. Minidoka Memorial Hospital said it was not necessary to postpone scheduled appointments, and patients with new health concerns continued to be treated, with the hospital operating under established downtime procedures until such time as systems are restored.

The investigation into the incident is ongoing, and the extent of unauthorized access to patient data has yet to be determined. According to Databreaches.net, a new threat group called Blackwater has claimed responsibility for the attack and has threatened to release the stolen data on April 24, 2026, if the ransom is not paid. Minidoka Memorial Hospital is one of three victims currently listed on the darkweb data leak site.

A Path of Care Home Health and Hospice, Oklahoma

A Path of Care Home Health and Hospice in Oklahoma has notified 3,849 individuals about a data breach at its business associate, Doctor Alliance. Doctor Alliance notified A Path of Care Home Health and Hospice on January 12, 2026, that it had been affected by the incident. A Path of Care Home Health and Hospice confirmed that the breach was limited to Doctor Alliance systems and that its own IT systems were unaffected.

The incident involved unauthorized access to documents containing patient information via a Doctor Alliance web portal between October 31, 2025, and November 17, 2025. The data compromised in the incident was limited to names, addresses, dates of birth, medical record numbers, dates of care, and diagnosis and treatment information. Doctor Alliance confirmed to A Path of Care Home Health and Hospice that several steps have been taken to improve security, including enhancing access controls, expanding monitoring capabilities, and strengthening detection, logging, and alerting measures. A Path of Care Home Health and Hospice has also taken steps to reduce the risk of similar incidents in the future, including conducting additional checks to ensure that medical record requests are coming from a verified source.

A Path of Care Home Health and Hospice is aware of claims that some of the information accessed by the unauthorized third party was further disclosed to other unauthorized individuals, although Doctor Alliance denied any knowledge of any further disclosures.

Team Select, Arizona

Team Select Holdings in Arizona and its affiliated entities were also affected by the data security incident at Doctor Alliance, although the breach was more limited, affecting 949 individuals. Team Select used the Doctor Alliance document management platform to facilitate physicians’ signatures on physician orders and notes. On January 11, 2026, Team Select was informed that it had been affected and that there had been unauthorized access to the platform between November 4, 2025, and November 6, 2025, and between November 14, 2025, and November 17, 2025.

Data compromised in the incident included names, Social Security numbers, dates of birth, addresses, phone numbers, gender information, medical record numbers, dates of care, Medicare or Medicaid IDs, diagnoses, medications, treatment information, physician information, and/or home health provider information. Team Select said it is reviewing its existing policies and procedures with its third-party vendors and working to evaluate additional measures that can be implemented to reduce the risk of similar incidents in the future.

The post Minidoka Memorial Hospital Recovering from Easter Cyberattack appeared first on The HIPAA Journal.