[nhance]

I have been convinced for several years now that insurance companies are likely buying up personal data from many different sources. They seem to be ideal consumers because it'll lead to better outcomes when they can increase rates on those that identify as risky.

[Cheer2171]

This isn't a secret. Go read one of the world's largest data broker's annual report to investors, ctrl-f for "insurance": https://www.experianplc.com/content/dam/marketing/global/plc...

[ethbr1]

Absolutely. Annual financial reports by public companies are a gold mine for this stuff, as they are literally required to talk about it.

You can also get a sense of the scale of the problem by the reported revenue and growth rates (which they're always eager to highlight).

[icepat]

I knew a guy who worked in Finance. Whenever he would buy alcohol, or cannabis (legal where I lived) he would only pay cash. His concern was that, if his credit card usage data were sold, it could increase his premiums.

[jabroni_salad]

That's why I buy my liquor at the gas station, on the same tx as the gas.

[rnk]

The credit card company could access subcategories of your purchase. It would make sense for them to do that to track you

[quesera]

Itemized receipt data is not transmitted to the network or to the issuing bank.

Some merchants have multiple registers for the sale of different types of products, but generally if you receive only one receipt for your full purchase, it will be recorded under the category code for the merchant's primary business.

[lotsofpulp]

It can be, if the merchant wants it to be.

https://www.tidalcommerce.com/learn/what-is-level-3-data

On my American Express credit card statement, all the airline flights show the details of the flight and Staples.com transactions show the specific items that were purchased. And this has appeared for at least 6 to 8 years.

[icepat]

In Canada, at least, you have to go to specific stores that only sell either alcohol, or cannabis. So the just having a bill from there would be enough.

[lotsofpulp]

The whole point of an insurance business is to insure against unknown and unlikely risks.

If it is insuring known or likely risks, then it becomes a subsidy or wealth transfer (which should be the domain of governments).

[warkdarrior]

> The whole point of an insurance business is to insure against unknown and unlikely risks.

Unknown to whom? To you, the insured? Or to them? Business thrives on customers with incomplete information.

[mc32]

It’s still unknown if someone engaging in risk will end up in costly collisions, or other events. Just because you engage in risk doesn’t mean it will bite you, only that it is more likely to bite you.

Besides why should less risky drivers subsidize riskier drivers?

[toss1]

If they have an ACTUAL measure of lower skilled and higher risk drivers, fine.

But when they use overly simplistic data (or use it in an oversimplified way) that makes the highest-skilled drivers appear in the same batch as low-skilled and high-risk drivers, that is not subsidy, it is unfair penalization by stupidity.

(see other comment on logging of g-forces)

[giantg2]

"Besides why should less risky drivers subsidize riskier drivers?"

They essentially do. If the safe drivers are never at fault, those premiums went somewhere. If the risky, repeat accident drivers aren't paying thr full price replacement vehicles, that money came from somewhere.

[IG_Semmelweiss]

You are right but what matters is disclosure.

Here is a car that sells your driving data. Here is one that won't

If you knew they were selling your data you could objectively demand a discount from one of the 2 .

[ldayley]

This has been true for several years. An insurance agent once told me that there are life insurance companies dropping the requirement for blood draws / medical exams and are just buying prescription records to correlate with financial, educational, and other behavioral data.

Edit: changed prescription “data” to “records”

[dml2135]

Wouldn’t this violate HIPAA?

[warkdarrior]

Depends who is selling that data. Some pharmacy delivery services or billing services may not be covered by HIPAA, since they are not necessarily "covered entities".

[ethbr1]

Is this true?

My understanding of HIPAA (possibly incorrect) is that it's attached to the data.

If a covered provider is leaking HIPAA covered data to a non-covered business associate entity... that's a big no-no and a fine.

[snowwrestler]

There are criteria for which organizations are covered by HIPAA’s privacy protections. It is not attached to the data wherever the data goes.

[ethbr1]

Yes, those are covered entities. Their subcontractors who touch HIPAA data are business associates.

See https://www.hhs.gov/hipaa/for-professionals/covered-entities... and https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-...

In my experience, covered entities are really serious about signing BAAs with any of their hosting vendors and partners, as afaik the liability falls on the covered entity if they didn't have an agreement in place and data leaked from a vendor/partner.

[cmpxchg8b]

If you agree to the data being shared when signing up for insurance it wouldn’t be a violation.

[ethbr1]

Do you have any details on this?

I'm sure there are legal HIPAA data escape pathways (given the financial incentives for companies to find them), but I'm curious on the details.

Afaik, there's no way to make HIPAA-covered data non-HIPAA-covered, and absent that everyone in the custody chain is responsible for anywhere it eventually ends up.

That said, I expect the way this works in practice is more likely data that originates with non-HIPAA-covered entities, but can be massaged/combined into a similar product.

[simpletone]

Not only that, don't insurers offer 'discounts' for installing tracking apps on your phones and devices?