In a chilling message posted on the dark web overnight, the ransomware group also claimed it had released sensitive details of customers’ medical procedures.

“Added one more file abortions.csv …,” the post said.

“Society ask us about ransom, it’s a 10 millions usd. We can make discount 9.7m 1$=1 customer.”

The group began releasing Medibank data on the dark web in the early hours of Wednesday morning under “good-list” and “naughty-list”.

The first wave included names, birthdates, addresses, email addresses, phone numbers, health claims information, Medicare numbers for Medibank’s ahm customers and passport numbers for international student clients.

“The files appear to be a sample of the data that we earlier determined was accessed by the criminal,” Medibank confirmed on Wednesday.

Medibank had warned more customer data would be uploaded to the dark web, which is what appears to have happened in the early hours of Thursday.

Medibank revealed earlier this week it had rejected hacker demands it pay a ransom in return for the data not being released.

People whose highly sensitive health information was stolen and posted on the dark web will get the support they need, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“These acts are abhorrent. To post Australians’ sensitive health information on the dark web is very concerning,” she told Nine’s Today Show on Thursday.

“Right now, we need to support affected individuals.”

Medibank has set up links to mental health services on its website.

Asked what people should do if they were contacted by someone claiming to have that information, federal minister Annika Wells reiterated the government’s advice was not to pay ransoms and make a police report.

“You do not pay the ransom,” she told Nine.

“You’re making the assumption that that is true and what we’re saying is that may not necessarily be the case – plenty of scumbags out there are going to try and make the most of this situation.”

Opposition cybersecurity spokesman James Paterson said there was no doubt affected Medibank customers will be very distressed.

“Unfortunately … this is the worst-case scenario,” he told ABC Radio, adding that companies need to take hacking threats seriously.

“If after Optus and Medibank they’re not taking it seriously, they need their heads read.”

Australian Federal Police are ramping up efforts to catch those behind the huge data breach and are co-ordinating with state and territory police to support people at risk of identity fraud.

Operation Guardian, which was set up to tackle the recent Optus hack, is being expanded to investigate the Medibank data theft.

“If members of the community feel they are at imminent risk they should contact triple zero immediately,” AFP Assistant Commissioner Cyber Command Justine Gough said.

Medibank has confirmed details of almost 500,000 health claims have been stolen, along with personal information, after the unnamed group hacked into its system weeks ago.

No credit card or banking details were accessed.