The health agency said the results of 18.105 Welsh residents were accessible to everyone in Internet for 20 hours on August 30th.
In most cases, the data included date of birth, geographical area and gender, meaning that individuals were not easy to identify.
However, 1.928 people living in public areas are at greater risk.
Data on individuals living in nursing homes or accommodation structures, including their name and place of residence, were also published. And although in this case the chances of identification are not great, they still exist.
The information had been viewed 56 times before being removed, but so far there was no evidence that the results had been misused.
CEO Tracey Cooper told BBC Wales that this was one of the "biggest data breaches" she had encountered and that "it should never have happened".
Those in charge were notified of infringement on the afternoon of 30 August following the publication of the information at 14:00 that day, however they did not follow the prescribed procedures for such incidents, with the result that the data remained exposed until 09:55 the next morning.
The agency said it has already taken appropriate action, including that data transfers are now done by senior team members.
His office Information Commissioner (ICO) and the Welsh Government were informed of the incident. The ICO said it would further investigate the incident.
This is the second time a Welsh NHS member has had to report to the ICO for data breach during a pandemic. In April, the NHS Wales Informatics Services - the IT department of the health service - contacted after sending 13.000 letters to the wrong addresses.