At least 12,000 people have had personal information released in last year's leak of Te Whatu Ora Covid-19 data.
Health NZ said it had begun notifying those affected.
Chief executive Margie Apa said the first group to be contacted was a large number of Covid vaccinators whose personal information was in a downloadable file on a US blog.
A smaller number of people who were vaccinated could be identified.
Apa said the number of people whose information had been released might rise.
A former employee of the agency, Barry Young, is facing court charges over the leak.
After the data breach came to light in December, Te Whatu Ora/Health NZ initially said there was a chance "a small number of people" had been identified.
But it was now working to find out if it was even more than 12,000.
"We deeply regret what happened and apologise sincerely to those affected. We are making information, advice and support available to individuals being notified," Apa said.
By the end of the weekend, the agency hoped to have contacted more than half of the 12,000 people who were affected.
Many of them still worked for Te Whatu Ora and all were doing their bit to protect New Zealanders, Apa said.
Those affected will be contacted by text or phone call, with a follow up letter, she said.
The agency was working with police and the Privacy Commissioner.
"This is a highly complex situation, and our investigation is ongoing. We are working with local and international cyber security experts to assist and monitor for signs of the data being disclosed online," she said.
Apa said when Te Whatu Ora found out about the breach on the United States blogsite they asked for the information to be removed and it was eventually taken down.
She said the information about the smaller group of vaccinated people could only be identified with considerable effort and technical expertise.
Te Whatu Ora was improving its data security in a bid to stop a similar incident happening again, she said.