Names, dates of birth, addresses, passport numbers and information about medical claims were among the sensitive personal data that was released anonymously early Wednesday.
Medibank said more leaks were likely.
“The files appear to be a sample of the data we previously determined the offender had access to,” the company said in a statement to the Australian Securities Exchange.
“We expect the criminal to continue to release files on the dark web.”
Medibank has previously refused to pay a ransom to prevent hackers from leaking data, saying that could fuel more crime and would not guarantee the information is secure.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited opportunity to pay a ransom to ensure the return of our customers’ data and prevent its dissemination,” said David Kochkar, president of Medibank.
The leaked data was posted on a dark web forum that cannot be found using traditional web browsers.
“We will continue to partially disseminate data,” the alleged hackers on the forum said.
“Looking back that data isn’t a very understandable format, we’re going to take some time to sort it out.”
Justin Gough, AFP’s assistant commissioner for cyber leadership, said the “criminal or criminal groups” responsible for the hack could operate outside Australia.
Australian Assistant Treasurer Stephen Jones said they were “fraudulent” and “fraudulent”.
“We should not give in to these scammers,” he told Sky News Australia.
“The moment we fold it sends a green light to scumbags like them all over the world that Australia is an easy target.”
The security breach has already wiped hundreds of millions of US dollars off Medibank’s market value, with the company’s stock price down more than 20 percent since October.