And the health insurer – Australia’s biggest with more than 27 per cent of the market – may never know the extent of the theft, with the fallout potentially lasting years, cybersecurity experts warn.

“Our investigation continues with a focus on determining the specific impact for customers past and present,” Mr Koczkar told customers in a letter sent on Friday. “We have started contacting customers whose data we know has been stolen. If we find your data has been stolen, we will notify you by email as soon as possible. We will also provide you with specific advice and support.”

About $2bn has been wiped off Medibank’s market cap since its emerged from a seven-day suspension on Wednesday. It shares sank a further 2.8 per cent to $2.79 on Friday, extending losses to 20.5 per cent. When it disclosed the attack two weeks ago, Medibank said that it had not found any evidence that data had been stolen. It has now confirmed its 3.9 million policyholders have been exposed along with potentially millions of former customers.

Even the South Australian government has been exposed after Medibank revealed late on Thursday that the hackers had accessed its My Home Hospital system, which it runs in partnership with Calvary on behalf of Wellbeing SA.

While it may appear the release of information relating to the Medibank hack has been a steady drip rather than a gush - the health insurer’s response has been swifter than other cyber attack victims.

ASX-listed pathology group Australian Clinical Labs waited almost 10 months to disclose a cybersecurity breach, which affected 223,000 customers, with hackers accessing test records, Medicare numbers and credit card data.

“Given the highly complex and unstructured nature of the data-set being investigated, it has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved,” ACL said in explaining the lag between hack and public disclosure.

Trish Williams, a professor of digital health systems at Flinders University said unlike breaches at financial institutions, cyber attacks at the health companies “may go unnoticed for months or years” and Medibank may never know the extent of the theft.

“It is unfortunate that too often data breaches in healthcare are not detected immediately or the extent of the breach not easily identified,” she said.

“The purpose of illegally extracting data is entirely financial – either holding data for ransom or on-selling it for others to perform identity theft. While exploitation of financial data is more quickly identified by individuals, as well as the financial institutions who have advanced systems for detecting fraudulent activity in place, healthcare systems do not.

“The impact of this is difficult, if not impossible, to gauge because it only comes to light when a person’s data is used for a healthcare episode - if the change is clearly evident.”

Originally published as Medibank may never know the extent of its cyber theft, with fallout potentially lasting years