Personal data concerning 18,105 residents of Wales who tested positive for COVID-19 was uploaded by mistake to a public server and spent 20 hours online, officials have revealed.
The data breach, last month, was a result of individual human error, Public Health Wales said on Monday.
The body said it had commissioned an external investigation and taken steps to prevent any similar incident.
"There is no evidence at this stage the data has been misused," Public Health Wales said in a statement.
"However we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents' confidential information."
The data was uploaded on the afternoon of August 30 and was searchable by anyone using the Public Health Wales site until it was removed on the morning of August 31.
During the time it was online it was viewed 56 times by unknown users.
Public Health Wales said in the majority of cases, 16,179 people, the information consisted of initials, dates of birth, geographical area and sex, meaning that the risk of identification was low.
For 1926 people living in nursing homes and supported housing, the information also included the names of the homes, which made the risk of identification higher, but still low.
The data was for every resident of Wales who had tested positive for COVID-19 between February 27 and August 30.
It was uploaded to the Public Health Wales COVID-19 dashboard, on a page containing health protection information.