Medibank says it has refused to pay a ransom for hacked data. 

The company says no ransom payment will be made to the criminal responsible for the recent data hack, who was able to access the name, date of birth, address, phone number and email address for about 9.7 million current and former customers and some of their authorised representatives. 

The number of potentially affected customers has more than doubled since the last update from the company.

The hack is now believed to have affected around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers. 

Medibank says it believes that all of the customer data accessed could have been stolen.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank chief executive David Koczkar said in a statement.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.

“It is for these reasons we have decided we will not pay a ransom for this event.”

The company says the hackers did not access primary identity documents, such as drivers licences, for Medibank and ahm resident customers.

However, Medicare numbers (but not expiry dates) from ahm customers and passport numbers (but not expiry dates) and visa details from international student customers were accessed.