Personal data of every Welsh resident who tested positive for Covid-19 between the end of February and 30 August was accidentally uploaded to a public server, where it was searchable by anyone using the site.
Public Health Wales said the data breach, involving the details of 18,105 Welsh residents, was the result of “individual human error”.
In the cases of 16,179 people, the information published consisted of their initials, date of birth, geographical area and sex.
However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who shared the same postcode as those settings, the information also included the name of the setting.
Public Health Wales removed the data on the morning of August 31 after being alerted to the breach. In the 20 hours it was online, it was viewed 56 times. It has not been possible to trace the people who viewed it.
A spokesman said there was “no evidence at this stage” that the data had been misused. The data was for every Welsh resident who tested positive for COVID-19 between the 27th of February 2020 and 30 August 2020.