Australia’s largest private medical insurer said the hack had taken a “distressing” turn after it received further files from the hackers.

They included files containing Medibank customer data as well as 1000 policy records from offshoot Ahm that had personal and health claims information.

The newly released information is in addition to details from international student customers and Ahm that were revealed to be exposed last week.

It’s the second high-profile hacking in weeks after Optus suffered a huge data breach last month.

Medibank said it was too soon to know the full extent of the customer data that had been stolen but the breach was wider than previously thought.

The company, which has about four million customers, expects the number of people affected will continue to grow.

It warned customers to be on alert for any suspicious messages via email, text or phone call.

Cyber Security Minister Clare O’Neil said she had been in constant contact with the health insurer and insisted her government had provided the necessary resources to tackle the breach.

“The latest advice from Medibank is deeply concerning … the government recognises that this incident is very stressful for affected Australians,” she said.

“The toughest and smartest people in the government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens.”

O’Neil said Medibank was supported by the Australian Signals Directorate and the Home Affairs department, and the Australian Federal Police had launched a criminal probe into the hack.

Medibank chief executive David Koczkar reiterated his apologies to the victims.

“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community, as it is to me,” he said.

“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community.”

Last week, Medibank said the alleged hackers claimed to have stolen 200Gb of data, including people’s medical history, where medical services were received and codes relating to their diagnoses and procedures.

The hackers were holding the information hostage while trying to negotiate with Medibank.

The government is set to introduce new legislation to parliament this week that massively increases penalties for companies that don’t properly protect sensitive data.

Fines will rise to whichever is greater of $50 million, 30 per cent of the company’s turnover in the relevant period or three times the value of any benefit gained from the stolen data.

The laws would also boost the Australian Information Commissioner’s powers to resolve breaches and increase information sharing with the Australian Communications and Media Authority.