Health Data Privacy

State of play.

• Acquisition-triggered genetic data transfers are now a class-action target. The Tempus AI litigation — seven named plaintiffs across six states, filed in N.D. Ill. — tests whether a $600M acquisition of a genetic testing firm converts the acquired patient database into freely licensable AI training data, and whether de-identification defeats state genetic privacy claims .
• AI inference liability has shifted from data collectors to data deployers. State AG enforcement, COPPA amendments, and California's January 2027 opt-out deadline collectively reframe exposure: companies using third-party AI tools bear liability for what those tools infer, not just what they collect (→ What Your AI Knows About You).
• The ShinyHunters Canvas breach has escalated from silent data theft to public extortion, with defacement of login portals at approximately 330 institutions, a claimed 275-280 million records across potentially 9,000 institutions, and FERPA, GDPR, and state notification obligations all simultaneously in play .
• Federal standing doctrine for pixel-tracking claims now turns on data sensitivity. In Tash, a federal court held that disclosure of health-related data constitutes concrete injury without proof of financial loss; non-sensitive identifier linkage does not .
• Alabama is the 21st state with a comprehensive privacy statute, effective May 1, 2027, with explicit consent required for health data and biometrics and AG-only enforcement at up to $15,000 per violation .
• For counsel advising healthcare technology companies, wearable manufacturers, life sciences acquirers, educational institutions, or AI platform vendors, the practical baseline is that health and biometric data now carry multi-front exposure — state genetic privacy statutes, HIPAA, class-action standing doctrine, FDA data provenance requirements, a thickening state AG enforcement posture, and active criminal extortion campaigns targeting institutional data — and post-acquisition data integration decisions, wearable product architecture, and vendor security posture are the highest-risk inflection points.

Where things stand.

• Genetic data de-identification is a contested legal proposition, not a compliance safe harbor. The Tempus AI complaints allege that genetic information is inherently re-identifiable regardless of what identifying fields are stripped — a theory that, if accepted, would eliminate de-identification as a shield under state genetic privacy statutes including Illinois GIPA .
• Post-acquisition data integration triggers independent consent obligations. The Tempus litigation frames the central question as whether an acquirer inherits the data rights of the target or must independently satisfy consent requirements — a gap that predates AI but is now being litigated in the AI training context .
• AI inference capabilities have outpaced existing privacy frameworks. AI systems now derive sensitive health, behavioral, and financial inferences from inputs that patients and consumers do not recognize as health data — triggering state transparency laws, COPPA amendments, and a deployer-liability shift flagged by Baker McKenzie (→ What Your AI Knows About You).
• Wearable and beauty tech biometric data is regulated as sensitive personal information under multiple state regimes. Facial mapping, body scanning, and wearable health metrics are now classified as sensitive personal information under omnibus consumer privacy laws in California, Connecticut, Indiana, Kentucky, Rhode Island, Washington, and Nevada — outside HIPAA's covered-entity framework and subject to explicit consent requirements, data minimization obligations, and state AG enforcement (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• California's 2026 AI transparency regime is the leading compliance deadline. AB 566, AB 853, and SB 53 activated January 1, 2026; opt-out mechanisms for automated decision-making are required by January 2027. Colorado's AI Act is phasing in through June 30, 2026. The EU AI Act reaches full implementation in August 2026 (→ What Your AI Knows About You).
• FDA now requires data provenance documentation for AI/ML regulatory submissions. The FDA's AI/ML framework explicitly demands traceable, auditable training data — converting what was previously best practice into a regulatory requirement with enforcement teeth for pharma-AI transactions .
• Data provenance is a deal-breaker in pharma-AI M&A and licensing. A&O Shearman's guidance identifies three exposure areas in AI-pharma transactions: EHR/real-world evidence lacking patient authorization, misaligned data ownership and audit responsibilities, and training data that cannot withstand FDA scrutiny .
• Standing doctrine for health data claims now bifurcates on sensitivity. The Tash ruling creates a pleading standard: allege that the disclosed data was sensitive, and the disclosure itself is injury-in-fact; allege only identifier linkage without sensitivity, and the claim fails at the threshold .
• The state privacy patchwork now covers roughly 46% of the U.S. population. Alabama's enactment as the 21st state — with explicit consent for health data, no private right of action, and AG-only enforcement — reflects the dominant legislative template: business-friendly enforcement structure, but real substantive obligations on sensitive data categories .
• Consumer-facing AI health tools are generating a distinct privacy exposure vector. The practice of uploading personal health records to general-purpose AI chatbots sits outside HIPAA's covered-entity framework, creating a gap that state privacy statutes and FTC authority are beginning to address .

Latest developments.

• ShinyHunters defaced Canvas login portals at approximately 330 educational institutions, claiming 275-280 million records across 3.65 terabytes; Instructure has not confirmed scope; the University of Pennsylvania reported 306,000 affected users; the FBI and CISA are investigating; affected institutions face simultaneous FERPA, GDPR, and state notification obligations .
• Wearable and beauty tech health data — stress, sleep, menstrual tracking, facial mapping — is now regulated as sensitive personal information under omnibus state privacy laws in seven states, with state AGs actively investigating cookie and pixel-tracking practices and class-action litigants challenging tracking under state wiretap statutes including California's CIPA; global GDPR fines exceeded €5 billion in 2025 (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).

Active questions and open splits.

• Can genetic data be meaningfully de-identified under state privacy statutes? Tempus's core defense is that transferred data was de-identified; plaintiffs argue genetic information is inherently re-identifiable. Courts have not resolved this under GIPA or comparable state statutes — the answer reshapes the entire post-acquisition data integration playbook for life sciences .
• Do acquisition-related data transfers require independent consent? Whether an acquirer steps into the target's consent framework or must re-obtain authorization — particularly where original collection predated the AI training use — is unresolved and central to the Tempus litigation .
• What is the scope of deployer liability for AI inference? State transparency laws frame liability as resting with companies deploying AI, not just collecting data — but the precise doctrinal mechanism (negligence, statutory violation, warranty) is unsettled across jurisdictions (→ What Your AI Knows About You).
• How do wearable health data classification obligations interact across state regimes? Connecticut and Washington regulate wearable health metrics outside HIPAA, but the classification standards, consent triggers, and enforcement postures differ — leaving manufacturers of multi-state products without a unified compliance template (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• Sensitive vs. non-sensitive data as the standing threshold. Tash creates a pleading bifurcation, but the boundary between "sensitive" and "non-sensitive" in the context of AI-inferred health data — where the system derives sensitive conclusions from ostensibly innocuous inputs — is not yet defined (→ What Your AI Knows About You).
• FDA data provenance requirements vs. HIPAA authorization gaps in pharma-AI deals. The FDA's AI/ML framework demands auditable training data, but many datasets used in drug discovery include EHR and real-world evidence that lacks explicit patient authorization for AI training — creating a compliance gap that neither HIPAA nor FDA rules cleanly resolve .
• Institutional vendor liability for LMS and cloud-platform breaches. The Canvas incident raises whether educational institutions bear independent notification and liability exposure when a third-party SaaS vendor is compromised — and whether existing vendor contracts allocate that risk adequately .

What to watch.

• Resolution of the ShinyHunters May 12 deadline and whether Instructure confirms breach scope — the confirmed record count will determine the scale of state notification obligations and likely trigger class-action filings against both Instructure and affected institutions .
• Motions to dismiss in the Tempus AI litigation — specifically how the N.D. Ill. court addresses the de-identification defense under GIPA and whether it certifies a multi-state class .
• Whether state AGs bring enforcement actions against wearable manufacturers and beauty tech companies for biometric data handling and pixel-tracking practices under the newly activated omnibus state privacy regimes (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• California's January 2027 automated decision-making opt-out deadline — the first major compliance checkpoint under the 2026 transparency regime, and likely to generate enforcement guidance before year-end (→ What Your AI Knows About You).
• EU AI Act full implementation in August 2026 and whether it triggers compliance restructuring for US-based health AI and wearable platforms with EU exposure (→ What Your AI Knows About You, Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• FDA guidance on data provenance standards for AI/ML submissions — any formal guidance will harden the due diligence checklist for pharma-AI transactions .