Te Whatu Ora/Health NZ has begun notifying those affected.
Chief executive Margie Apa said today the first group to be contacted is a large number of Covid vaccinators whose personal information was in a downloadable file on a United States blog.
A smaller number of people who were vaccinated could be identified.
Apa said the number of people whose information has been released may rise.
A former employee of the agency is facing court charges over the leak.
After the data breach came to light in December last year, the health agency initially said there was a chance "a small number of people" had been identified but was now working to find out if it was even more than 12,000.
"We deeply regret what happened and apologise sincerely to those affected. We are making information, advice and support available to individuals being notified," Apa said.
Te Whatu Ora was working with police and the Privacy Commissioner.
"This is a highly complex situation, and our investigation is ongoing. We are working with local and international cyber security experts to assist and monitor for signs of the data being disclosed online," Apa said.
Whe the agency found out about the breach on the blogsite Apa said it asked for the information to be removed and it was eventually taken down.
The information about the smaller group of vaccinated people could only be identified with considerable effort and technical expertise, she believed.
Te Whatu Ora was improving its data security in a bid to stop a similar incident happening again, she said.