BlueCross BlueShield has now spent $18.5 million resolving a 2009 hard drive heist, though the thieves' motives in the unsolved data breach remain a mystery.

Crooks burgled 57 hard drives containing personal information on about 1 million customers, including audio and video recordings from customer service phone calls, according to the Chattanooga-based insurer.

A $1.5 million settlement with the U.S. Department of Health and Human Services is the latest blow in what could be the most expensive unsolved heist in Chattanooga history.

In addition to investigation and notification expenses, Tennessee's largest insurer has shelled out about $7 million to encrypt its remaining customer data, said spokeswoman Mary Danielson.

"The main push is for the peace of mind of our members. That's why we engaged in the additional expense of encryption," Danielson said.

Though the $18.5 million theft pales in comparison to a recent hacking attack against Sony Online Entertainment that analysts say will cost as much as $2 billion to fix, BlueCross BlueShield's estimate doesn't include the value of the data itself.

Info Security Magazine researchers found in 2011 that stolen, unverified PayPal data fetched a bulk rate of $50 per each 100 accounts, which could translate into a gain for the BlueCross BlueShield thieves of about $500,000.

But there is no evidence yet that any lost data actually has changed hands or been used by unscrupulous merchants, cautioned Danielson.

"To date, nothing has been used from the theft," Danielson said. "It's hard to know what their intended purpose was or if they knew what they were taking."