The details of more than 18,000 people who tested positive for coronavirus were published online by mistake by Public Health Wales.
The health body said the data of 18,105 Welsh residents was viewable online for 20 hours on 30 August.
Most cases gave initials, date of birth, geographical area and sex, meaning the risk of identification was low, Public Health Wales (PHW) said.
However 1,928 people in living in communal settings were more at risk.
Nursing home residents or those living in supported housing also had the name of their place of residence published, meaning the risk, while still considered low, was higher.
The incident was the result of “individual human error” when the information was uploaded to a public server searchable by anyone using the site.
PHW said the information had been viewed 56 times before it was removed but there was no evidence so far that the data had been misused.
What is Public Health Wales doing about the data breach?
Chief executive Tracey Cooper told BBC Wales the failure was one of the “biggest data breaches” she had come across and said it “should never have happened”.
Dr Cooper also said Public Health Wales could have acted more quickly in removing the information.
The person who was alerted to the breach on the evening of 30 August after the information was posted at 14:00 that day did not follow the body’s serious incident reporting procedures.
The data was not removed until 09:55 the next morning.
Finding out why is part of the terms of reference of an external investigation which will be carried out by NHS Wales Informatics Service. “I think we should have taken it down quicker,” she said.
The team that “takes data protection responsibilities extremely seriously” was “devastated that this has happened”, Ms Cooper said.
“I can’t apologise enough because on this occasion we failed.”
Dr Cooper said she was not considering resigning, saying: “I’m the person who is accountable and as chief executive that’s where the buck stops.
“I want to get to the bottom of it so I’m not at this stage [considering my position].”
PHW said it had already taken steps, including making sure any data uploads were now undertaken by a senior team member.
What has the reaction been?
Welsh Conservative spokesman on health, Andrew RT Davies MS, said: “I acknowledge that the risk is considered to be ‘low’, but I’m not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose – albeit limited – information was posted along with their place of residence.
“The health minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing – and that’s unacceptable.”
His Plaid Cymru counterpart, Rhun ap Iorwerth MS, said: “Any data breach is serious, and this data breach including potential means of identifying patients is of serious concern.
“Public Health Wales and the Welsh Government have to be able to explain how exactly this happened, and give assurances that this can’t happen again.”
Second data breach
The Information Commissioner’s Office (ICO) and the Welsh Government have been informed. The ICO said it would be making inquires following the alert.
This is the second time a part of the Welsh NHS has had to refer itself to the ICO over a data breach during the pandemic.
In April, NHS Wales Informatics Services – the health service’s IT arm – contacted the watchdog after 13,000 shielding letters were sent to the wrong addresses.
Anyone concerned that their data or that of a close family member could have been published can get advice from Public Health Wales.
The Welsh Government said it was a matter for Public Health Wales.