Health NZ says it has begun notifying those affected.
Chief executive Margie Apa said the first group to be contacted is a large number of Covid vaccinators whose personal information was in a downloadable file on a US blog.
A smaller number of people who were vaccinated could be identified.
Apa said the number of people whose information has been released may rise.
A former employee of the agency is facing court charges over the leak.
After the data breach came to light in December, Te Whatu Ora/Health NZ initially said there was a chance "a small number of people" had been identified.
But it was now working to find out if it was even more than 12,000.
"We deeply regret what happened and apologise sincerely to those affected. We are making information, advice and support available to individuals being notified," Apa said.
The agency was working with the police and the Privacy Commissioner.
"This is a highly complex situation, and our investigation is ongoing. We are working with local and international cyber security experts to assist and monitor for signs of the data being disclosed online," she said.
Apa said when Te Whatu Ora found out about the breach on the United States blogsite they asked for the information to be removed and it was eventually taken down.
She said the information about the smaller group of vaccinated people could only be identified with considerable effort and technical expertise.
Te Whatu Ora was improving its data security in a bid to stop a similar incident happening again, she said.
RNZ.