Outsourcing firm Serco has apologised after accidentally sharing the email addresses of almost 300 contact tracers.
The company is training staff to trace cases of Covid-19 for the UK government.
It made the error when it emailed new trainees to tell them about training.
Serco said it had apologised and would review its processes “to make sure that this does not happen again”.
Contact tracing is a system used to slow the spread of infectious diseases like coronavirus. It is already being used in other countries including Singapore and Germany.
In the UK, Health Secretary Matt Hancock said 21,000 contact tracers have been hired, some of whom are healthcare professionals.
They will gather contacts from Covid-19 patients and trace those people by phone or email to slow the spread of the disease in the community.
Serco is one of the companies hiring, training and operating the 15,000 contact tracers who do not have clinical training.
But the mistake may leave the firm in breach of data protection rules. It is understood that at least one member of staff has raised the issue with the Information Commissioner.
The error did not involve patients’ data but will be unhelpful for a contact tracing project that is set to ask many thousands of people who have fallen ill to share the details of their friends and acquaintances.
Serco wrote the email to tell new trainees not to contact its help desk looking for training details.
But the staff member who sent it put their email addresses in the CC section of the email, rather than the blind CC section – revealing them to every recipient.
When the Home Office made a similar error last year it referred itself to the Information Commissioner, but Serco is not intending to do this.
A Serco spokesman told the Today Programme: “An email was sent to new recruits who had given us their permission to use their personal email addresses.
“In error, email addresses were visible to other recipients. We have apologised and reviewed our processes to make sure that this does not happen again.”