There are a couple problems with this line of thinking. First, a lack of known cases doesn't mean that this is necessarily hard to detect or that it isn't being prosecuted. It might also simply not be happening. That seems to be the most likely scenario given how hard it currently would be to secretly acquire and use this genetic data.
Also you don't need to have a massive amount of HIPAA protected data to be publicly available for someone to notice. There are plenty of independent insurance brokers who serve as middlemen between consumers and the insurance companies. These people have access to all the medicals and usually end up having a decent understanding of how that translates into insurance rates. A drastic change in how insurance companies rate risk would be quickly noticed by these brokers. Right now if a broker receives a particularly bad rate from a specific insurer due to a quirk of their actuarial numbers, they will often turn around and apply to a competitor. That means any single insurer using this information wouldn't necessarily do that much damage to end consumers. It also means that any single insurer who did this would quickly get a reputation for providing rates that look unexplainable on the surface and it won't be long before people start asking why. Once again, I just don't think this is a realistic scenario.
If the data is managed by a company that isn't in the healthcare industry, HIPPA doesn't apply. An insurance company, even a health insurance company can purchase non healthcare data from an analytics company.
It wasn't HIPPA protected when it was on my heritage, and it won't be healthcare data when it's eventually leaked and resold.
If you don't think legitimate companies are interested in buying that data, look around at the market for our password breach and identity theft data. There's a brisk, legal trade.
I read about a "threat intelligence" company on here the other day who got hacked for all their breach data. Not all of it is super public, and none of the public dumps are in a tidy package where you can associate users in one breach with users in another breach. Sorry I couldn't find the name of the company.
But there are more than a handful of "threat intelligence" or OSINT providers. I'll let you Google it for yourself.
Also you don't need to have a massive amount of HIPAA protected data to be publicly available for someone to notice. There are plenty of independent insurance brokers who serve as middlemen between consumers and the insurance companies. These people have access to all the medicals and usually end up having a decent understanding of how that translates into insurance rates. A drastic change in how insurance companies rate risk would be quickly noticed by these brokers. Right now if a broker receives a particularly bad rate from a specific insurer due to a quirk of their actuarial numbers, they will often turn around and apply to a competitor. That means any single insurer using this information wouldn't necessarily do that much damage to end consumers. It also means that any single insurer who did this would quickly get a reputation for providing rates that look unexplainable on the surface and it won't be long before people start asking why. Once again, I just don't think this is a realistic scenario.