Home Affairs Minister Clare O’Neil has defended the response to the “distressing” Medibank data breach, after the company revealed on Tuesday that it goes much wider than initially feared.

Medibank, Australia’s largest private medical insurer, will contact current and former customers who might have had their private information stolen after revealing on Tuesday the leak was far bigger than previously believed.

The health insurer said the hack had taken a “distressing” turn with the receipt of a series of extra files from the hacker or hackers.

They included files containing Medibank customer data as well as 1000 policy records from offshoot Ahm that included personal and health claims information.

The newly released information is in addition to details from international student customers and Ahm that were revealed to be exposed last week.

“This is a distressing development and Medibank unreservedly apologises to our customers,” the company said in a statement.

Tweet from @ClareONeilMP

The Medibank hack is the second high-profile data breach in Australia in just weeks, after Optus revealed its own massive leak in September.

Ms O’Neil, who also described the latest developments as “very distressing”, said she had been in contact with the insurer and security agencies since the leak emerged a fortnight ago.

“The Australian government recognises that this incident is very stressful for affected Australians,” she said.

“The toughest and smartest people in the Australian government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens.”

Ms O’Neil said she had been “in constant contact” with Medibank chief executive David Koczkar and the heads of the Australian Signals Directorate and the Australian Federal Police since she learned informed of the leak.

“Medibank is cooperating with government in responding to this incident,” she said.

Her statement came after opposition cyber security spokesman James Paterson accused the government of a “slow and confused response” on Optus.

“It is concerning that it took that the Cyber Security Minister Clare O’Neil a week to publicly respond to the Medibank hack,” he said.

“Ms O’Neil should explain why she accepted the company’s initial denial this was serious, delaying government engagement by a week.”

Senator Paterson said “the worst fears of customers have now been realised”

“Medibank victims have every right to know what steps the Albanese government took, and when,” he said.

Medibank said it was too soon to know the full extent of the customer data that had been stolen but the breach was wider than previously thought.

The company, which has about four million customers, expects the number of people affected will continue to grow.

It warned customers to be on alert for any suspicious messages received via email, text or phone call in the wake of the hack.

Mr Koczkar reiterated his apologies to the victims.

“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me,” he said.

“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community.”

Mr Koczkar said his organisation continued to work with federal government agencies to investigate the data breach.

The Australian Federal Police has launched a criminal probe into the hack.

Last week, Medibank said the alleged hackers claimed to have stolen 200 gigabytes of data, including people’s medical history, where medical services were received and codes relating to their diagnosis and procedures.

Medibank said on Tuesday that the alleged hackers had so far sent it:

• A copy of a file containing 100 ahm policy records – including personal and health claims data
• A file of a further 1000 ahm policy records – including personal and health claims data
• Files containing some Medibank and additional ahm and international student customer data.

Ms O’Neil said the hackers were holding the information hostage while trying to negotiate with Medibank.

The government is set to introduce legislation to parliament this week that massively increases penalties for companies that don’t properly protect sensitive data.

Fines will rise to whichever is greater of $50 million, 30 per cent of the company’s turnover in the relevant period or three times the value of any benefit gained from the stolen data.

The laws would also boost the Australian Information Commissioner’s powers to resolve breaches and increase information sharing with the Australian Communications and Media Authority.

-with AAP