Balancing Possibilities with Realities—Cyber and Privacy Legal Trends in Life Sciences

The life sciences sector sits at the intersection of rapid technological innovation and new opportunities to advance medicine, discover new treatments, and improve patient health outcomes. However, the life sciences sector is also under intensifying federal and state regulation and enforcement risk in cybersecurity, data privacy, and AI governance. 

Recent guidance from the U.S. Food and Drug Administration ("FDA") under Section 524B of the Federal Food, Drug, and Cosmetic Act ("FDCA") elevates cybersecurity from a set of recommendations to new, more prescriptive regulatory requirements across the complete product lifecycle. At the state level, there is a continuing patchwork of privacy, consumer health data, data security, and consumer protection laws imposing requirements beyond HIPAA.[i]  

Recent enforcement and litigation trends indicate expanded and new compliance and liability risks for entities handling health, biometric, and other human 'omic data (large-scale data across human molecules—e.g., genomics) or biospecimens data. Against this backdrop, life sciences companies face the challenge of harmonizing economic pressures with regulatory expectations and heightened enforcement risk to mitigate exposure and sustain responsible innovation. 

FDA's Increased Focus on Cybersecurity 

FDA has steadily strengthened its cybersecurity guidance in response to the growing threats facing connected medical devices or the Internet of Medical Things—risks that, if exploited, can lead to compromised patient safety and systems, device, and data security breaches and disruptions. FDA has evolved what began as basic recommendations into comprehensive regulatory requirements throughout a product's lifecycle. 

FDA's June 2025 final guidance, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions"[ii] is its latest step in this progression. This guidance provides a framework for device cybersecurity and articulates the agency's expectations for design, labeling, and documentation it considers necessary to support manufacturers' premarket submissions under Section 524B of the FDCA. This guidance clarifies that cybersecurity is a core attribute to be integrated throughout the lifecycle of a device, including to demonstrate whether it has a "reasonable assurance of safety and effectiveness" in the pre-market context and for significant post-market modifications.  

Importantly, FDA explicitly links cybersecurity practices directly to design control requirements in the quality system regulation, to provide for consistency in meeting applicable requirements and specifications.[iii] At the same time, the agency emphasizes a secure product development framework that is risk-based so that cybersecurity design and documentation scale with the related risks for a particular device across its lifecycle.  

For pre-market submissions, FDA expects scaled, risk‑appropriate evidence showing cybersecurity by design (i.e., built into the product and its processes). Key compliance elements include a written cybersecurity risk management plan, threat modeling, clear security architecture documentation that explains how the device and related systems protect data and functions, and a software bill of materials covering third‑party and open‑source components. FDA also expects cybersecurity testing beyond standard verification and validation to include evidence showing addressed risks, and straightforward labeling for secure deployment, configuration, updates, logging, and end‑of‑support planning in the use environment.  

FDA has also advanced a parallel AI regulatory framework with substantial cybersecurity requirements. For example, FDA recently issued a draft guidance, "Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations,"[iv] outlining documentation and information expected in marketing submissions for AI-enabled software functions in support of FDA's evaluation of safety and effectiveness. This draft also provides recommendations for design, development, and implementation of AI-enabled devices throughout the lifecycle, and introduces cybersecurity considerations for such devices that qualify as "cyber devices" under Section 524B of the FDCA.  

Reflecting a continued commitment to enabling innovation while safeguarding patients, FDA's Digital Health Advisory Committee held meetings in November 2024 and 2025 to refine the agency's approach to generative AI-enabled devices, including AI-enabled digital mental health devices. FDA requested public comment on the best ways to measure and evaluate artificial intelligence-enabled medical device performance in the real world, with comments due by December 1, 2025.[v] 

Taken together, these developments reflect a clear regulatory trajectory: Cybersecurity and AI risk management are integral to quality, safety, and effectiveness for connected medical devices. As device connectivity increases and data ecosystems proliferate, these expectations intersect with expanding state-level privacy and cybersecurity requirements that govern how sensitive 'omic data are collected, secured, shared, and used—particularly outside the traditional HIPAA framework. 

State Privacy and Cybersecurity Increased Oversight 

Some states are also intensifying oversight of cybersecurity and data privacy, including with regard to AI, consumer health data, and children's personal information. These state laws and regulations directly impact life sciences entities that handle substantial volumes of sensitive data across research, clinical, and commercial operations. These states are increasingly shaping how personal information—especially health, biometric, and genetic data—is governed throughout its lifecycle, including collection, use, sharing, retention, and security. This trend is reshaping core activities in the sector—including clinical trial data governance, digital therapeutics, the incorporation of wearable devices into clinical trials, and software as a medical device—while expanding the scope of entities subject to these evolving obligations. 

While HIPAA applies to covered entities and their business associates, which provides a baseline for in-scope functions, state laws are extending similar—and often more stringent—protections to non-HIPAA entities where health data falls outside the definition of "protected health information." For example, Washington's My Health My Data Act and Nevada's SB 370 were among the first health-focused state privacy and security laws regulating entities operating in the consumer realm through health, wellness, fitness, and medical monitoring websites, apps, wearables, and other technologies. While these laws echo HIPAA's requirements for administrative, technical, and physical security controls, they also incorporate industry-specific considerations and unique provisions, such as geofencing restrictions and expanded consumer rights. 

Some states are moving beyond HIPAA-like requirements in other respects as well. For instance, in early 2025, New York passed its Health Information Privacy Act, which will impose stringent security obligations far beyond prior state models.[vi] Regulated entities would face strict timelines for secure disposal of health information, and service providers would be subject to duties of confidentiality, data segregation mandates, and intrusive external security assessments. In March, Virginia amended the Virginia Consumer Protection Act to prohibit certain entities from "obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer." The Virginia law broadly applies to covered entities that engage in consumer transactions—meaning many entities that do not deal in large amounts of consumer data may still be subject to the law. 

In addition to these health-specific frameworks, at least 19 states will have comprehensive privacy laws by early 2026. Nearly all treat health information as sensitive, imposing heightened obligations unless the law provides a data-level or entity-level exemption. The net effect is a complex compliance landscape: Entities that were not previously closely regulated now face extensive requirements; others must navigate parallel, and sometimes overlapping, regimes—HIPAA for certain operations and datasets, and state laws for others. 

Meanwhile, while California and New York remain leaders in privacy and security enforcement, multistate attorney general collaborations reflect growing enforcement coordination. Earlier this year, the California Privacy Protection Agency announced a collaborative "Consortium of Privacy Regulators," including California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, focused on the implementation and enforcement of state privacy laws. As such initiatives mature and potentially expand, life sciences companies should anticipate rising state-level scrutiny over data practices that increasingly intersect with FDA's safety and quality expectations for connected devices and AI-enabled functions. 

These legislative developments do not operate in isolation. They are increasingly reflected in, and reinforced by, government enforcement and private litigation. 

Government Enforcement and Litigation Trends 

Enforcement actions and litigation trends against life science and biotechnology companies illustrate the growing need to stay apprised of these changing laws and manage compliance risks. Although FDA enforcement actions related to cybersecurity have been rare, that may soon change—the agency has taken the position that a failure to comply with cybersecurity requirements for cyber devices under Section 524B constitutes a prohibited act. That, coupled with mounting activity by federal and state enforcers and private plaintiffs, signals a material escalation in risk.^[vii]  

At the federal level, in July 2025, the Department of Justice ("DOJ") reached a first-of-its-kind settlement with a biotechnology company that agreed to pay $9.8 million plus interest for allegedly violating the False Claims Act by making false claims regarding cybersecurity features of its software, failing to disclose cybersecurity vulnerabilities, and falsely representing that the software adhered to cybersecurity standards such as ISO and NIST. The complaint brought by DOJ specifically alleges that the company knowingly ignored cybersecurity vulnerabilities in its products and failed to mitigate, correct, or disclose them to the Government. Specifically, the company allegedly "improperly allowed elevated privileges to users running genetic tests on [its] products" and "hard-coded credentials, allowing users access to confidential patient data, without authentication."[viii] DOJ noted that the alleged claims were false and actionable, despite no allegations that an actual breach occurred.^[ix] 

State attorneys general have also recently pursued enforcement against life sciences companies. In 2024, a biotechnology company agreed to pay a $4.5 million civil penalty and strengthen its cybersecurity practices to settle a lawsuit brought by the New York attorney general, who claimed the company had violated HIPAA when hackers accessed its network using two employee login credentials and installed malicious software.^[x] The complaint alleged that the company lacked systems or processes to detect the attackers' activity, thereby allowing the hackers to obtain the patient data of 2.4 million people and violating HIPAA's requirement that "Covered Entities" put in place policies and procedures to prevent, detect, contain, and correct security violations.  

Meanwhile, in Texas, Attorney General Ken Paxton has garnered billions of dollars in settlements under the Texas Biometric Privacy Act, which prohibits a person from collecting an individual's biometric identifiers for commercial purposes without the individual's informed consent.^[xi]Such state enforcement efforts have already expanded^[xii] and may continue to expand as the federal government scales down the size of the administrative state, and attorneys general on both sides of the political spectrum find it politically expedient to pursue action against large health or biotechnology companies. 

Private class action risks compound the potential exposure. In 2024, a genetic testing company paid $30 million to settle a class action after experiencing a data breach that allegedly violated HIPAA. That settlement was later increased to $50 million after 250,000 more customers submitted claims of loss resulting from the data breach.^[xiii]The company ultimately declared bankruptcy, prompting the question of whether the company could sell its personal data to satisfy creditors. Twenty-eight state attorneys general objected to that idea and sued to block the company's proposed sale of personal genetic information. Pennsylvania Attorney General David Sunday said "[t]he millions of consumers … who paid for these services certainly did not expect their sensitive data to one day be sold off to the highest bidder."^[xiv] In those cases, the state attorneys general cited the "inherent common law rights of ownership or control in their biological material," as well as "state-specific criminal statutes."^[xv]  

As a consequence, in May 2025, senators introduced the Don't Sell My DNA Act to prohibit the treatment of genetic information as a tradable bankruptcy asset. If passed, it would amend Title 11 of the U.S. Code to: (i) specifically exclude genetic information from estate liquidations; (ii) require affirmative written consent before any sale or lease of genetic data in a bankruptcy; and (iii) mandate that bankruptcy trustees delete genetic data using secure methods.  

The cumulative impact of these developments is significant. IBM's 2025 Cost of a Data Breach Report identifies pharmaceuticals and health care as among the costliest sectors for data breaches, reporting average estimated breach costs for relatively small incidents (i.e., incidents where between 2,960 and 113,620 records were compromised) of $4.61 million and $7.42 million, respectively, much of it driven by litigation and settlement expenses.^[xvi] These figures, together with the trajectory of enforcement and private actions, reinforce a common theme across this article: Regulators and courts are converging on expectations that mirror FDA's cybersecurity and lifecycle governance principles, and deviations—whether in representations, documentation, or controls—carry tangible consequences.  

Conclusion 

Cybersecurity and privacy have moved from peripheral compliance considerations to central determinants of safety, effectiveness, and enterprise resilience in the life sciences sector. To navigate this environment, life sciences organizations should integrate security and privacy into product and operations lifecycles, maintain clear documentation, and align practices with applicable regulatory expectations. Doing so will not only mitigate regulatory risk but also fortify trust with patients, partners, and the public as digital health and AI capabilities continue to advance.