The details of more than 18,000 people who tested positive for coronavirus were published online by mistake by Public Health Wales.
The health body said the data of 18,105 Welsh residents was viewable online for 20 hours on 30 August.
Most cases gave initials, date of birth, geographical area and sex, meaning the risk of identification was low, Public Health Wales (PHW) said.
However 1,928 people in living in communal settings were more at risk.
Nursing home residents or those living in supported housing also had the name of their place of residence published, meaning the risk, while still considered low, was higher.
The incident was the result of “individual human error” when the information was uploaded to a public server searchable by anyone using the site.
PHW said the information had been viewed 56 times before it was removed but there was no evidence so far that the data had been misused.
What is Public Health Wales doing about the data breach?
Chief executive Tracey Cooper said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed.
“I would like to reassure the public that we have in place very clear processes and policies on data protection.
“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned.
“I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”
The Information Commissioner’s Office and the Welsh Government have been informed and an external investigation has been commissioned by Public Health Wales to establish the full circumstances of the breach, led by NHS Wales Informatics Service.
The body said it had already taken steps, including making sure any data uploads were now undertaken by a senior team member.
Anyone concerned that their data or that of a close family member could have been published can get advice from Public Health Wales.