The board of Australia’s largest private health insurer faced frustration from shareholders at its annual general meeting on Wednesday, a month after hackers stole about 9.7 million current and former customers’ data.

Medibank chair Mike Wilkins defended the company’s handling of the massive cyber attack, telling the meeting in Melbourne it was “unprecedented”.

“From the outset, Medibank has been committed to doing the right thing by our customers, our people and the community in relation to this cybercrime,” he said.

“This includes our decision not to pay any ransom demand for this data theft.

“Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”

Most of the Medibank customers who were affected by the cyber attack had their basic personal information stolen, including their names, addresses and phone numbers.

However, 480,000 of these customers also had health claims they had made with the insurer stolen.

The hackers have published sensitive data, including information about people’s mental health status, drug and alcohol use, and abortions on the dark web.

Mr Wilkins “unreservedly apologised” to every person affected by the “despicable” crime.

He insisted Medibank had been “transparent” in communicating about the hack with customers.

Medibank chief executive officer David Koczkar told shareholders Medibank was in the process of directly contacting customers whose health data had been compromised or exposed.

Mr Koczkar said the insurer had always taken its IT security “very, very seriously”.

“We believe that our processes were robust, although clearly not robust enough in this circumstance. And we will seek to learn from that once we have completed this review,” he said.

Most of the questions put to the Medibank board by shareholders were about the cyber attack and how it had been able to happen.

The Australian Federal Police have identified cyber criminals in Russia as the perpetrators.

AFP Commissioner Reece Kershaw said last week the AFP would attempt to speak to Russian law enforcement about the ransomware group, as he called on authorities in Moscow to co-operate with the investigation.

Mr Kershaw said the AFP knew the identities of the individuals involved, but he would not name them when he spoke to reporters in Canberra last Friday.