Hackers behind the Medibank cyber attack have released more sensitive customer data, this time relating to mental health treatment.

The file was posted on the dark web on Monday, where the hackers have previously published data from Australia’s largest private health insurer.

It includes 500 records for people who have had diagnoses of mental illness, among other medical conditions.

The Russian criminals said they don’t plan to post more information until Friday, and will be watching Wednesday’s Medibank shareholder meeting closely.

“There is some more records for everybody to know,” they wrote in an update.

“We’ll announce, that next portion of data we’ll publish at Friday, bypassing this week completely in a hope something meaningful happened on Wednesday.”

Medibank chief executive David Koczkar apologised for the release of the sensitive information.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program,” he said.

“This includes mental health and wellbeing support, identity protection and financial hardship measures.”

A number of health and community organisations have called on major social media outlets to pull down posts that share the sensitive information.

Meanwhile, Medibank could face legal action over the data breach.

Law firm Maurice Blackburn confirmed it was reviewing whether customers affected by the hack could be entitled to compensation.

The firm’s principal lawyer Andrew Watson said the breach of data was one of the most serious seen in Australia.

“Companies that hold their customers’ sensitive health information have an important obligation to make sure that information is safeguarded, commensurate with the sensitivity of that data,” he said.

“Medibank have a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers.”

Data including names, phones numbers, Medicare numbers and sensitive health information was taken by the hackers during the breach.

As the government looks for solutions to improve cyber security laws, Home Affairs Minister Clare O’Neil has flagged it could soon be illegal for companies to pay ransom demands to hackers should they be subject to a data breach.

“The way we’re thinking about the reform task … is a bunch of quick wins, things that we can do fast, and the standing up for the new police operation is one of those,” Ms O’Neil told the ABC’s Insiders on Sunday.

Federal police confirmed last week Russian hackers were behind the attack.

A 100 officer-strong, standing cybercrime operation targeting hackers will be led by the AFP and Australian Signals Directorate.

“We are offensively going to find these people, hunt them down and debilitate them before they can attack our country,” Ms O’Neil said.

– with AAP