The details of up to 3,000 NHS patients could have been on a computer stolen from a doctors' surgery.
The laptop is thought to be have been stolen by an opportunist thief
The laptop belonging to the Diabetic Retinopathy Screening Service (DRSS) contained patients' names, addresses, dates of birth and phone numbers.
Cardiff and Vale NHS Trust said the laptop was coded with passwords and had three levels of protection.
Police were called in after the theft at a surgery in Newport on 5 November. The trust is also investigating.
Initially Cardiff and Vale NHS Trust chief executive Hugh Ross announced 950 diabetic patients had definitely been affected by the incident.
Thy were taking part in a screening service for people with eye problems
But Mr Ross later told BBC Wales's Dragon's Eye programme that information about as many as 2,000 or 3,000 patients could be on the laptop.
The trust said the computer did not contain any national insurance numbers or medical information, but a link to a picture of patients' retinas was stored on it.
Some patients' NHS numbers were also on it and it said it was in the process of writing to those affected by the theft.
Mr Ross told the programme: "What I'm concerned about is my staff were investigating it, but very slowly and that's not good enough and that's what we need to get to the bottom of.
"I think it's a cock-up not a cover-up, frankly."
He said the laptop was stolen from St Julian's GP surgery and added it was "possible that further patient records, which were due to be deleted, may still be stored on the computer.
"The trust has no way of knowing if this is the case unless the laptop can be recovered."
Mr Ross said he had begun an internal investigation into the service and its security measures.
"I would like to offer a sincere apology to all patients affected by this theft and reassure them that there are very strong security measures on all our IT systems to prevent confidential information being accessed.
"This is an isolated incident and we are taking immediate action to try and ensure that it does not happen again."
Kate Watkins, chief executive of the Newport Local Health Board said the computer belonged to the DRSS and the police were contacted immediately.
"We can confirm that no computers belonging to the GP practice were stolen and that there is no question of the integrity of patient data held by the GP practice having been compromised," said Ms Watkins.
Conservative, Jonathan Morgan said: "This is absolutely appalling and comes hard on the heals of the lost data scandal at HM Revenue and Customs and recent problems at the DVLA.
The patient data on the laptop included images of retinas
"It is yet another disturbing development which will further undermine public confidence in measures to protect sensitive information.
"We need a full inquiry to discover how this could have happened, what steps have been taken to protect any potentially sensitive information, and whether measures are being put in place to prevent a repeat incident."
Welsh Liberal Democrat, Jenny Randerson said: żI was shocked to learn that people whose data was lost were not told for five weeks. People need to be told as soon as possible that their data is possibly open to abuse".
The DRSS is a Welsh Assembly Government-funded service managed by the Cardiff NHS trust.
It has screened 150,000 patients around Wales whose information is stored on a central database.
An assembly government spokesperson said: "It is the responsibility of the local NHS, in this case the trust, to manage issues such as this.
"However, we would expect the trust to review the case to identify if any further measures need to be put in place to reduce the risk of similar incidents in future."