Medibank warns the criminal could also try to contact customers directly.

The Australian Cyber Security Centre and the Australian Federal Police are working with Medibank on the matter, with police aiming to stop the sharing and sale of personal data.

“Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” Medibank chief executive David Koczkar said.

“We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them.

“The weaponisation of their private information is malicious, and it is an attack on the most vulnerable members of our community.”

Mr Koczkar said Medibank had contacted all customers via email, letter or phone to update them about the cybercrime.

Anyone who is contacted by someone who claims to have their data can report it at ReportCyber on the Australian Cyber Security Centre website.

The personal details of about 9.7 million current and former customers were accessed in a massive cyber attack last month.

Among the data were names, addresses, dates of birth, email addresses and phone numbers.

Some customers also had private health data accessed, including types of medical treatments they had claimed.

Mr Koczkar said on Monday no ransom would be paid to the thief.

“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”