First Minister Mark Drakeford has said he does not know when the Welsh Government was first told about a data breach involving 18,000 people who tested positive for coronavirus.
He faced calls to apologise for the Public Health Wales (PHW) breach, which saw details put on a public website.
PHW on Monday said the Welsh Government was told on 2 September.
Mr Drakeford said the incident was a “serious matter” and that he himself first learned about it on Monday.
Details of more than 18,000 people, including initials, date of birth, geographical area and sex, were published on the PHW website at 14:00 on 30 August.
It was not removed until 09:55 the next morning. PHW revealed the breach to the public in a statement on Monday.
In the Senedd on Tuesday Welsh Conservative group leader Paul Davies asked Mr Drakeford to apologise to the people affected.
Mr Drakeford, in response, said: “I learned of this data breach yesterday, and I learned of it as a result of Public Health Wales’ statement.”
“It is a serious matter when data regulations are not properly observed.”
He said PHW had been right to apologise to those concerned.
“Thankfully… the breach lasted for less than a day, and the initial inquiries suggest that no harm has been done as a result, but that is a matter of luck rather than anything else.”
Mr Drakeford said it was right that PHW had instituted an inquiry and informed the information commissioner.
‘I know when I was informed’
But pressed by Tory Senedd member Andrew RT Davies on when the Welsh Government was informed and which minister was the first to be told, Mr Drakeford said he did not know.
“I gave an answer, which was within my knowledge,” he said.
“I know when I was informed. I don’t know the answer to those other questions nor would I expect to know them just standing up here in the chamber.
“We will discover those answers, of course, and I’m very happy to communicate them to the member.”
Mr Davies later tweeted that he found the response “staggering”.
“For a man who is supposedly ‘across the detail’ to not know this information is laughable,” he added.
Meanwhile the Information Commissioner’s Office (ICO) had decided not to take formal action over a previous data breach involving the delivery of 13,000 shielding letters to the wrong addresses.
An ICO spokeswoman said: “We looked into the details of this incident and provided data protection advice to NHS Wales Informatics Services.
“We decided not to take formal enforcement action on this occasion.”