BlueCross BlueShield of Delaware is hoping to return an early Christmas gift by state insurance commissioner Matt Denn: a fine of $150,000.

Following a Dec. 24 hearing, Denn levied the fine, the maximum permitted under state law, against the Wilmington, Del.-based insurer for mistakenly disclosing the private medical information of 3,800 of its members.

Denn said his department is willing to consider reducing the fine if BlueCross can provide proof of measures in place to prevent the incident from occurring again before Feb. 1. If that occurs, it will be an issue for new commissioner Karen Weldin Stewart to decide. She is set to be sworn into office on Jan. 20, the same day Denn officially becomes Delaware’s lieutenant governor.

In a statement to IFAwebnews.com, BlueCross said it “gives the highest corporate priority to the protection of the information our customers entrust to us” and apologized for the “regrettable occurrence cause by a printer malfunction.”

The insurer said the issue was corrected and “existing procedures have been reinforced and enhanced to prevent a reoccurrence”

“We are currently reviewing the insurance commissioner’s opinion and will respond accordingly,” the statement said.

BlueCross sent about 3,800 “explanation of benefit” forms to members in November that featured their information on the front, but another member’s name, medical provider, description of service provided and their account number.

BlueCross said a printing error generated the incorrect forms and notified all of its members who were impacted, but Denn called for a hearing to discuss the matter and potential action against the insurer.

According to Denn’s opinion and order regarding the error, William Jones, BlueCross’ head of information technology services, said at the hearing that the erroneous mailing occurred because of a temporary print stoppage and that additional security precautions were in place to ensure that the forms are reviewed prior to mailing in the future.

No BlueCross members testified during the hearing on Christmas Eve morning.

In his opinion, Denn found that the insurer violated two state insurance regulations: one that prohibits disclosure of “any nonpublic personal financial information about a consumer” and another that requires insurers to have a system to safeguard customer information.

BlueCross’ attorney, Karen Kane, testified at the hearing that the company does have a comprehensive written information security program, but that she could not provide a copy that day. Kane said while the measure was in place, she did not believe it specifically addressed the print stoppage issue that resulted in the privacy breach.

“Disclosure of personal health information is a profoundly serious matter,” Denn wrote in his opinion on the matter. “My first priority is ensuring that no such disclosures ever happen again.”

Finding the insurer in violation of both regulations, Denn imposed the $150,000 fine, with the offer to reduce it if evidence of a security program is received by the department by Feb.1. He also noted that the insurer is specifically prohibited from incorporating the fine into any rate adjustment that it files with the department.