The Medibank hack has worsened further, with the company warning some of its staff that their most sensitive data has been stolen.

In an email to employees late on Monday, the health insurer said information, including mobile and work device numbers was among that stolen by the hackers.

The theft was part of the same hack that involved the data of nearly 10 million of the company’s current and former customers, including private health information for about 500,000 people.

These details are being posted on a blog by the hackers, including the latest information posted on Monday. It included 500 records for people who have had diagnoses of mental illness, among other medical conditions.

The Russian criminals said they didn’t plan to post more information until Friday, saying they would be watching Wednesday’s Medibank shareholder meeting closely.

“There is some more records for everybody to know,” they wrote in an update.

“We’ll announce, that next portion of data we’ll publish at Friday, bypassing this week completely in a hope something meaningful happened on Wednesday.”

Medibank emailed its staff on Monday night to reveal data obtained by the hackers included information on about 900 current and former employees.

“Hi Everyone. We’re deeply sorry to inform you that some data relating to your work device for the time that you worked at Medibank has been stolen in the recent cybercrime event,” the email read.

“We recognise the distress that this may cause you and we apologise that this has happened.”

The staff information included names, email addresses, mobile phone numbers and work device details. It was posted on the dark web last week.

“Our security team have advised that the information above may be used for increased spam such as spear phishing and social engineering,” Medibank wrote.

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. Social engineering involves tricking people into giving up private information.

• Australia to hack back at Medibank data theft

Medibank chief executive David Koczkar apologised on Monday for the latest release of customers’ sensitive information.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program,” he said.

“This includes mental health and wellbeing support, identity protection and financial hardship measures.”

Several health and community organisations have called on major social media outlets to pull down posts that share the sensitive information.

Meanwhile, Medibank could face legal action over the data breach.

Law firm Maurice Blackburn confirmed it was reviewing whether customers affected by the hack could be entitled to compensation.

The firm’s principal lawyer Andrew Watson said the breach of data was one of the most serious seen in Australia.

“Companies that hold their customers’ sensitive health information have an important obligation to make sure that information is safeguarded, commensurate with the sensitivity of that data,” he said.

“Medibank have a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers.”

As the government looks for solutions to improve cyber security laws, Home Affairs Minister Clare O’Neil has flagged it could soon be illegal for companies to pay ransom demands to hackers should they be subject to a data breach.

“The way we’re thinking about the reform task … is a bunch of quick wins, things that we can do fast, and the standing up of the new police operation is one of those,” Ms O’Neil told the ABC’s Insiders on Sunday.

Greens leader Adam Bandt said he welcomed the idea of banning ransoms from being paid but indicated other measures needed to be considered.

“We need a holistic review about whether too much data is being kept in the first place, because once you collect all of that data it will be a target for hackers,” he said in Melbourne.

“We need an overall review of whether corporations are keeping too much data in the first place as well as whether that data is being properly secured.”

Mr Bandt said the matter of whether Medibank customers should receive compensation following the hack should be considered.

“It will be much better to prevent these kinds of attacks from occurring and prevent people’s privacy being exposed because if the data wasn’t kept in this way in the first place, people might be safer,” he said.

-with AAP