I think insurance companies aren't above doing anything illegal, especially if it can not insure you/drive you away with a high quote if it saves them many years and millions and millions of dollars covering someone's care for Huntington's or chemo for breast cancer or some other terrible disease for which someone is genetically predisposed.
The punishment for violations of the Genetic Information NonDiscrimination Act can be up to a million dollars in fines and some jail time. It is exceedingly rare for corporate officers to go to jail for acts of corporations, so likely violations would simply be fines. Cancer is expensive to cover (less so for insurance companies working with hospitals, much more for you and I), and the fines are relatively small, with the chance of jail time exceedingly small. I am unaware of anyone who has been prosecuted under this Act at all. I did a cursory search and didn't see anything.
The forgoing leads me to believe that like many crimes that have low rates of prosecution and relatively small fines, it would probably make sense for a corporate board (or series of employees acting under mutual light peer pressure) to use DNA information as an input into their actuarial tables.
Additionally, it would be difficult to spot clusters of people who are otherwise healthy with high insurance quotes. Even if you had the actual insurance quotes, getting peoples' medical information, especially in bulk, is extremely difficult because the aggregators of such information are typically bound by HIPAA.
All that to say, I think this is an extremely reasonable concerned and I would be shocked if companies didn't already use DNA information in some form, even if that form is as some input to a machine learning model, but I'll demurr on that subject because I know little about it.
There are a couple problems with this line of thinking. First, a lack of known cases doesn't mean that this is necessarily hard to detect or that it isn't being prosecuted. It might also simply not be happening. That seems to be the most likely scenario given how hard it currently would be to secretly acquire and use this genetic data.
Also you don't need to have a massive amount of HIPAA protected data to be publicly available for someone to notice. There are plenty of independent insurance brokers who serve as middlemen between consumers and the insurance companies. These people have access to all the medicals and usually end up having a decent understanding of how that translates into insurance rates. A drastic change in how insurance companies rate risk would be quickly noticed by these brokers. Right now if a broker receives a particularly bad rate from a specific insurer due to a quirk of their actuarial numbers, they will often turn around and apply to a competitor. That means any single insurer using this information wouldn't necessarily do that much damage to end consumers. It also means that any single insurer who did this would quickly get a reputation for providing rates that look unexplainable on the surface and it won't be long before people start asking why. Once again, I just don't think this is a realistic scenario.
If the data is managed by a company that isn't in the healthcare industry, HIPPA doesn't apply. An insurance company, even a health insurance company can purchase non healthcare data from an analytics company.
It wasn't HIPPA protected when it was on my heritage, and it won't be healthcare data when it's eventually leaked and resold.
If you don't think legitimate companies are interested in buying that data, look around at the market for our password breach and identity theft data. There's a brisk, legal trade.
I read about a "threat intelligence" company on here the other day who got hacked for all their breach data. Not all of it is super public, and none of the public dumps are in a tidy package where you can associate users in one breach with users in another breach. Sorry I couldn't find the name of the company.
But there are more than a handful of "threat intelligence" or OSINT providers. I'll let you Google it for yourself.
The punishment for violations of the Genetic Information NonDiscrimination Act can be up to a million dollars in fines and some jail time. It is exceedingly rare for corporate officers to go to jail for acts of corporations, so likely violations would simply be fines. Cancer is expensive to cover (less so for insurance companies working with hospitals, much more for you and I), and the fines are relatively small, with the chance of jail time exceedingly small. I am unaware of anyone who has been prosecuted under this Act at all. I did a cursory search and didn't see anything.
The forgoing leads me to believe that like many crimes that have low rates of prosecution and relatively small fines, it would probably make sense for a corporate board (or series of employees acting under mutual light peer pressure) to use DNA information as an input into their actuarial tables.
Additionally, it would be difficult to spot clusters of people who are otherwise healthy with high insurance quotes. Even if you had the actual insurance quotes, getting peoples' medical information, especially in bulk, is extremely difficult because the aggregators of such information are typically bound by HIPAA.
All that to say, I think this is an extremely reasonable concerned and I would be shocked if companies didn't already use DNA information in some form, even if that form is as some input to a machine learning model, but I'll demurr on that subject because I know little about it.