Australia’s largest health insurer says the names, dates of birth, address, phone numbers and email addresses of its 9.7 million former and current customers have been accessed, along with the Medicare and passport numbers of some customers.

But Medibank chief executive David Koczkar said the hacker probably wouldn’t give the data back even if they paid a ransom fee and paying up could instead give other criminals an incentive to do the same thing.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

The hacker accessed health claims of around 160,000 Medibank customers, around 300,000 claims from offshoot ahm customers and around 20,000 international customers.

No credit card or banking details were accessed.

The insurer, which continues working with the federal government and other agencies, has also launched an external review into the incident.

“We take seriously our responsibility to safeguard our customers … the weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Koczkar said.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.”

Opposition home affairs spokeswoman Karen Andrews said the data breaches of Medibank customers, along with similar breaches at Optus, had demonstrated the government had dropped the ball on cyber security measures.

Andrews urged the government to support a coalition proposal, which would introduce a standalone offence for cyber extortion.

Under the proposal, those who use ransomware would face a maximum of 10 years in prison, while those targeting critical infrastructure could be sentenced to 25 years behind bars.

“We don’t pretend that this bill is a silver bullet, because no such thing exists, but it will present a new deterrent to these cyber criminals, and it is an important part of safeguarding Australia,” she told parliament on Monday.

“The silence from the government has been deafening on these breaches.”

The government introduced new laws last month that would increase fines for companies that were involved in data breaches, with the maximum fine raised from $2.2 million to at least $50 million.

Labor MP Louise Miller-Frost said the government was taking the threats from cyber attacks seriously.

“The breaches have had an impact on (people’s) sense of personal security and on their ability to have confidence in the digital systems that we increasingly use to run and coordinate our lives,” she told parliament.

“Even if there is no financial loss, these data breaches cause major disruption and can be extremely unsettling.”