The Medibank hackers claim they demanded a $US9.7 million ransom not to release stolen customer information, as the health insurer blasted their latest data dump as a "malicious" attack on vulnerable Australians.
In a chilling message posted on the dark web overnight, the ransomware group released sensitive details of customers' medical procedures and said it had demanded $US1 ($A1.60) for each of Medibank's 9.7 million customers.
"Added one more file [name removed]," the post said.
"Society ask us about ransom, it's a 10 millions usd. We can make discount 9.7m 1$=1 customer."
The group began releasing Medibank data on the dark web in the early hours of Wednesday morning under files named "good-list" and "naughty-list".
The first wave included names, birthdates, addresses, email addresses, phone numbers, health claims information, Medicare numbers for Medibank's ahm customers and passport numbers for international student clients.
"The weaponisation of people's private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community," Medibank CEO David Koczkar said in a statement on Thursday.
"The release of this stolen data on the dark web is disgraceful ... these are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.
"People whose highly sensitive health information was stolen and posted on the dark web will get the support they need," Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
"These acts are abhorrent. To post Australians' sensitive health information on the dark web is very concerning," she told Nine's Today Show on Thursday.
"Right now, we need to support affected individuals."
Medibank has set up links to mental health services on its website.
Asked what people should do if they were contacted by someone claiming to have that information, federal minister Annika Wells reiterated the government's advice was not to pay ransoms and make a police report.
"You do not pay the ransom," she told Nine.
"You're making the assumption that that is true and what we're saying is that may not necessarily be the case - plenty of scumbags out there are going to try and make the most of this situation."
Opposition cybersecurity spokesman James Paterson said there was no doubt affected Medibank customers will be very distressed.
"Unfortunately ... this is the worst-case scenario," he told ABC Radio, adding that companies need to take hacking threats seriously.
"If after Optus and Medibank they're not taking it seriously, they need their heads read."
Australian Federal Police are ramping up efforts to catch those behind the huge data breach and are co-ordinating with state and territory police to support people at risk of identity fraud.
Operation Guardian, which was set up to tackle the recent Optus hack, is being expanded to investigate the Medibank data theft.
"If members of the community feel they are at imminent risk they should contact triple zero immediately," AFP Assistant Commissioner Cyber Command Justine Gough said.
Medibank has confirmed details of almost 500,000 health claims have been stolen, along with personal information, after the unnamed group hacked into its system weeks ago.
No credit card or banking details were accessed.
© AAP 2022