The company’s customers face an anxious wait to learn if cyber criminals – who bought a high-level Medibank login from a Russian online crime forum – will act on their threat of publicly releasing their medical records and other sensitive information.

Mr Koczkar said he was “devastated” for the customers, saying they “deserve privacy”. But he said if Medibank caved to the demands of cyber criminals it would make Australia a softer target for repeat attacks.

“This is a significant decision for the business and we’ve had extensive expert advice and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,” Mr Koczkar told The Australian.

“In fact, you just can’t trust a criminal. It’s more likely that this will put more of our customers at risk through increased extortion and actually make Australia a bigger target. That’s consistent with the government policy on paying ransom, so that’s why we’ve made the decision we have to not pay a ransom.”

This hard line stance – similar to the doctrine of not negotiating with terrorists – comes as the hackers have threatened to sell the stolen data unless Medibank paid a ransom, warning it would release health records of 1000 high-profile customers, such as celebrities and bloggers, first

This could potentially include information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a pregnancy termination, or whether a person has been treated for a mental health condition or substance abuse.

Home Affairs Minister Clare O’Neil welcomed Medibank not paying the ransom, which was “consistent with Australian government advice”.

“I want Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal,” she said.

“The Australian government, after a wasted decade for digital reform, is stepping up on cyber security and ransomware … we see and recognise the urgent need to address the conditions that have allowed the two largest cyber attacks in our history to occur within the space of two months.”

Mr Koczkar said he was “very keen” for customers to stay at Medibank and not leave it for another health insurer following the attack. He said customers could “rely on” Medibank going forwards but accepted that will “make their own decision”.

“They can rely on us with timely updates on the facts that we know. We have provided communications to all current and former customers through the last four weeks. We continue to commit to being transparent.

“I unreservedly apologise to all customers and former customers. I’m devastated for our customers. Everyone has the right to privacy.”

Asked what customers should do if cyber criminals threaten them individually with extortion, Mr Koczkar urged them to report it immediately and recognised the release of personal information for people escaping domestic violence in particular.

“If you are being contacted by this criminal or other criminals, I would to report cyber through cyber.gov.au or if it’s in relation to Medibank, contact us via email or one of our hotlines. We are there to support you in every way we can.

“We’re doing what we can to support them through this really challenging time.

“We have strengthened the access controls around privileged access, we have strengthened our preventative security controls and we‘ve also increased our monitoring of our systems. That’s what we’ve done today. And we continue to conduct a forensic investigation to understand how this happened and continue to further safeguard our systems.”

Medibank confirmed 5.8 million former customers have had their data exposed by the breach last month, in addition to all 3.9 million of its current customers.

Mr Koczkar said Medibank was unlikely to remove some customer data away from online channels and the potential grasp of hackers.

“Our customers want to be able to access health and wellbeing services in all channels. We need to allow them to have access to that through a variety of means and part of our commitment is to continue to learn to safeguard that data where customers want to access it.”

Mr Koczkar said cyber crime cost Australian businesses $30bn a year and a debate was needed about data retention laws.

The relevant laws include NSW’s Health Records and Information Privacy Act 2002, Victoria’s the Health Records Act 2001 the ACT’s Health Records (Privacy and Access) Act 1997.

“It's important discussion for us as a community to have. We're required by law to keep data of our customers and also customers who've left us for seven years, in some cases for longer.

“I think we need to focus right now on talking to our customers and safeguarding them and supporting them given this crime event, and then learning from it both for what Medibank needs to do but also sharing those learnings for other companies and other players in the Australian market.

“Cybercrime is an ever present risk. It's an increasing risk, it costs $30bn a year to the economy. And I hope that we can come together as an industry as a community and take the necessary steps we can to safeguard our citizens.

A spokesman for Attorney-General Mark Drefus said privacy laws were being reviewed and the commonwealth were consulting with state and territory governments.

“The review of the Privacy Act 1988 is considering issues relating to the amount of personal information entities are collecting and how they are storing it, as well as the impact of existing legislation that requires personal information to be retained,” the spokesman said.

Mr Koczkar said investigations into the incident showed the criminal accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.

The criminal also accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.

Some 5,200 My Home Hospital (MHH) patients also had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed.

Primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers were not accessed, but Medicare numbers (but not expiry dates) for ahm customers were caught up in the breach as were passport numbers (but not expiry dates) and visa details for international student customers.

Health claims data for extras services (such as dental, physio, optical and psychology) were not accessed, nor were credit card and banking details, the company said.

As The Australian previously reported, the criminal behind the Medibank data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

“Medibank will also commission an external review to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers.”

Medibank shares firmed 0.4 per cent to $2.83 on Monday after falling 20 per cent during the past month.

More Coverage

Medibank leak hits 6m ex-customers

Sarah Ison

More related stories

Technology

iPhone 16 review: Apple faces its ‘Barbie moment’

Consumers and Barbie fans will be tickled pink by Apple’s new iPhone colours. But how do the new models stack up, and is buying a Pro still worth it? We take a look.

Read more

Nation

Meta urged to regulate youth data use

Meta’s new self-enforced safety standards have drawn attention to its use of young Australians’ private data, argued to be driving harms that are still unchecked.

Read more