Medibank won't pay any hacker ransom

Medibank won't pay any ransom to the hacker that stole all its customer data, after revealing almost 500,000 health claims have been accessed.

Australia's largest health insurer says the names, dates of birth, address, phone numbers and email addresses of its 9.7 million former and current customers have been accessed, along with the Medicare and passport numbers of some customers.

But Medibank chief executive David Koczkar said the hacker probably wouldn't give the data back even if they paid a ransom fee, and forking out could instead give other criminals an incentive to do the same thing.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," he said.

"In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm's way by making Australia a bigger target."

The hacker accessed health claims of about 160,000 Medibank customers, about 300,000 claims from offshoot ahm customers, and about 20,000 international customers.

No credit card or banking details were accessed.

The insurer, which continues working with the federal government and other agencies, has also launched an external review into the incident.

"We take seriously our responsibility to safeguard our customers ... the weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community," Mr Koczkar said.

"We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures."

Home Affairs Minister Clare O'Neil said Medibank's decision not to pay a ransom to cyber criminals was in line with government advice.

"Cyber criminals cheat, lie and steal - paying them only fuels the ransomware business model," she said in a statement.

"They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals.

"I want Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal."

Opposition home affairs spokeswoman Karen Andrews said the data breaches of Medibank customers, along with similar breaches at Optus, demonstrated the government had dropped the ball on cyber security measures.

Ms Andrews urged the government to support a coalition proposal to introduce a standalone offence for cyber extortion.

Under the proposal, those who use ransomware would face a maximum of 10 years in prison, while those targeting critical infrastructure could be sentenced to 25 years behind bars.

The government introduced new laws last month that would increase fines for companies that were involved in data breaches, with the maximum fine raised from $2.2 million to at least $50 million.