The disclosure of more information – following the release of two documents titled the “naughty” and “nice” lists on Wednesday – comes after the country’s largest health insurer ­refused to pay a ransom demanded by the hackers.

Medibank admitted on October 19 that hackers had stolen the information of 9.7 million customers and wished to negotiate a ransom. The Australian reported on Wednesday that the company had entered into lengthy discussions with the hackers, known as REvil, but later abandoned them.

One of the purported hackers – named for a villain from the Saw film franchise – in a message overnight on Wednesday said the group had asked for $US10m ($15.6m).

On Thursday, Medibank chief executive David Koczkar said the release of the information was “disgraceful”.

“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web,” Mr Koczkar said.

“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.

“These are real people behind this data and the misuse of their data is deplorable and may ­discourage them from seeking medical care.”

The new information contained a spreadsheet with the names and personal details of 303 patients and policyholders, along with the billing codes relating to terminations. Dozens of inter­national students have also had their email addresses, policy numbers and phone numbers leaked online in a separate file.

Virgin Australia also ­announced that some of its Frequent Flyer customers had been impacted.

“Medibank has just advised us that you are one of a small number of Velocity Frequent Flyer members who may have had your ­Velocity membership number ­accessed as part of this event,” the company wrote to customers on Thursday. “We are acting swiftly to protect your Velocity account from unauthorised activity and have locked your account as a precautionary measure, while we issue you with a new Velocity membership number. Keeping your account safe from unauthorised activity is our priority and we apologise for any inconvenience caused.”

On Wednesday, the Australian Federal Police said they would ­expand their investigation into an earlier data breach affecting Optus customers to the Medibank incident.

The AFP said in a statement it was “aware that distressing and very personal information has been released on the dark web” and had immediately taken measures, including “covert techniques”, to identify further criminal activity.

“This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared,” AFP assistant commissioner Justine Gough said.

“Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment.”

More Coverage

Hacker wanted $15m ransom from Medibank

David Swan

Originally published as Russian hackers post Medibank pregnancy terminations to dark web