Medibank has confirmed that the criminals responsible for stealing customer data have released some of that information on a dark web forum.
The company said the information posted overnight appeared to be a sample of the data that it earlier determined was accessed by the hacker.
The release included names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for customers of Medibank budget brand ahm (but not expiry dates), in some cases passport numbers for international student customers (but not expiry dates), and some health claims data.
The company also warned that: "We expect the criminal to continue to release files on the dark web."
The Australian Federal Police (AFP) said officers had stepped up monitoring efforts through Operation Guardian to try to protect Medibank customers whose data has been released.
AFP Cyber Command Assistant Commissioner Justine Gough said officers in her team were scouring the internet, dark and deep web for the sale or distribution of leaked data from Medibank or Optus customers.
"To the customers impacted by this latest breach, please do not be embarrassed to contact police through ReportCyber if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made," she said in a statement.
"Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years' imprisonment."
Ms Gough also warned that simply downloading or accessing stolen data may be a criminal offence, even if the data was not used for other criminal purposes.
"As a force multiplier, we use the powers and authorities of all of our agencies to disrupt the sale and distribution of the unlawfully-obtained data," she added.
'Good-list' and 'naughty-list'
The Medibank client data was released in the early hours of this morning, after a midnight deadline passed for Australia's largest health insurer to pay a ransom.
Hundreds of names, addresses, birthdates and Medicare details were allegedly being posted under "good-list" and "naughty-list" on a blog belonging to the hacking group.
The hackers had demanded a ransom to stop the release of the data, but Medibank earlier this week said it would not pay it because it would encourage further crime.
"Looking back that data is stored not very understandable format (table dumps) we'll take some time to sort it out," the hackers said in the early hours of Wednesday.
"We'll continue posting data partially, need some time to do it pretty."
The hackers also appeared to have revealed screenshots of private messages recently exchanged between themselves and Medibank representatives.
Medibank has previously confirmed almost 500,000 health claims were stolen, along with personal information, when the unnamed group hacked into its system weeks ago.
Some 9.7 million current and former customers have been affected.
Medibank has repeatedly said no credit card or banking details were accessed.
On Wednesday morning Medibank chief executive David Koczkar again apologised to the company's customers for the breach of personal and private information.
"We unreservedly apologise to our customers," he said in the statement confirming that hacked data had been published.
"This is a criminal act designed to harm our customers and cause distress.
"We take seriously our responsibility to safeguard our customers and we stand ready to support them."
Customers urged 'to be on high alert'
Medibank has again advised customers to be alert for any phishing scams via phone, post or email, and to report them immediately to the Australian Cyber Security Centre website or via ScamWatch.
The company has also directed concerned customers to its contact centres: 13 23 31 for Medibank and international customers; 13 42 46 for ahm customers; and 1800 081 245 for My Home Hospital patients.
Home Affairs Minister Clare O'Neil said Medibank's decision not to pay a ransom to cyber criminals was "consistent with government advice".
"Cyber criminals cheat, lie and steal," she said.
"We urge people who may be affected to be on high alert for attempts by cyber criminals to extort individuals over their personal information.
"Do not assume that anyone who contacts you has access to your data, or that paying a ransom will protect your data privacy
"Cyber criminals commit to undertaking actions in return for payment, but so often re-victimise companies and individuals.
"The Australian government is working closely with Medibank Private to provide all the support possible to help resolve this situation and assist those customers who may have been affected.
"Medibank Private is receiving ongoing technical advice and assistance from Australian Government agencies, including the Australian Signals Directorate."
At a Senate estimates hearing on Tuesday, Australian Federal Police commissioner Reece Kershaw told businesses to make sure they contact authorities as early as possible if they suspect a possible data breach.
With the FBI now helping the AFP track down those behind the Medibank and Optus data breaches, Mr Kershaw said investigating would be long and complex.
"The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice," he told senators.
ABC/AAP
