Russian hackers accessed the health records and other personal information from almost 10 million current and former Medibank customers. After the company refused to pay a $15m ransom, it published customer claim data for sensitive conditions – including abortions, drug and alcohol abuse and mental health disorders – on the dark web.

The company told investors on Friday that it had been provided with Deloitte’s findings from a review into the cybercrime incident.

“Deloitte has made recommendations to enhance Medibank’s IT processes and systems,” it said.

“A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank.”

A spokeswoman told The Australian wouldn’t be detailing the findings or releasing the report. She said the review includes confidential and sensitive information about the cyber security measures that Medibank has in place to protect customers and other data from malicious cyber-attacks.

“We don’t think it is in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses,” the spokeswoman said.

Medibank chair Mike Wilkins said the incident was a ‘deliberate and malicious attack’ that remains the subject of a criminal investigation.

“Medibank has completed a range of enhancements to meet this expectation and the board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further,” he said.

“From the beginning of this cybercrime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations.”

Analysts have estimated the clean-up bill – which includes customer lawsuits – could cost Medibank as much as $150m.

The company is facing a class-action lawsuit from customers, who filed in the Federal Court of Australia in February.

Medibank has said it will defend the proceedings.

Optus is also waiting on an external Deloitte report into its hack, also late last year, that affected some 10 million Optus customers. Optus has not said whether the report, which is due in late May, would be made public.

It comes amid ongoing work on the federal government’s upcoming new cyber security strategy, which has a stated goal of making Australia the most cyber secure nation by 2030.

Work on the new strategy, which is set to be released by the end of the year, is being led by former Telstra chief executive Andy Penn, with support from RAAF Air Marshal Mel Hupfeld and Rachel Falk of the Cyber Security Co-operative Research Centre.

Medibank refused to pay the hacker’s cyber ransom and a key consideration of the upcoming strategy will be whether to ban the payment of cyber ransoms. Finance provider Latitude this month also rejected a ransom demand from criminals behind what has now become the nation’s biggest cyber attack.

As The Australian reported earlier this week power giant AGL Energy has warned against such a ban, declaring that such a move may result in potential loss of life and “catastrophic damage”.

In its submission to the government’s 2030 cyber strategy, AGL said banning paying ransoms “may result in potentially avoidable catastrophic damage, harm to community, loss of life, disruption of essential services or disclosure of sensitive information”.

Shares in Medibank last traded at $3.55.

Originally published as Medibank won’t release report into cyber attack