A 21-year-old who received the email after having counselling earlier this year said she was horrified.
"It's so uncomfortable to know there are people that know I have been to see a counsellor."
Privacy Commissioner spokesman Charles Mabbett encouraged students to approach Massey University's Student Health and Counselling services to address the issue.
"Many people on this list probably have good reason to not broadcast the fact they are receiving counselling," Mr Mabbett said.
"People who receive counselling are getting a very personal and private service and they don't necessarily want other people to know they are receiving counselling."
He said if students were still unhappy after approaching the university, they could lodge a complaint with the Privacy Commissioner.
"We would look at this as health information and this information is some of the most personal and private information there is."
Mr Mabbett said it appeared human error was the most likely cause of the breach, and was the most common cause of privacy breaches.
Massey University Students' Association president Linsey Higgins said in this case, people who were "potentially in quite a vulnerable position" had good reason to feel their privacy was breached.
"Counselling is a place where you're meant to feel safe and that you can trust what goes on."
She said the privacy breach could "have huge ramifications" for the wellbeing of students.
The email made it clear all recipients had received "support and service" from counsellors this year.
"Your information will be respected and will help us to be effective for all students," the email said.
NZME News Service informed a Massey spokesman of the email but did not receive a response yesterday.
In 2008, a recruitment agency sent an email out to clients with their email addresses visible. One recipient complained about the disclosure.
The recruitment agency explained that the error had occurred as the carbon copy rather than blind carbon copy field was used, the Office of the Privacy Commissioner said.
The agency assured the commissioner and client it had taken action to ensure the mistake did not occur again.
Other privacy breaches
• Last month, a Waikato high school sent an email to an entire year group instead of a teacher. The email revealed alleged family violence involving a pupil. The mistake was put down to human error.
• In 2013, The Earthquake Commission sent information about 260 claimants to the wrong customers. That followed EQC also sending 83,000 claimant details to the wrong recipient and emailing a claimant a spreadsheet with 220 names, stopped cheque details and claim amounts worth about $23 million.
• Also that year, Queenstown District Council accidentally released details of every complaint it received over the past 10 years. The emails contained names and phone numbers of people making the complaints and the names of those complained about.
• In 2013 the Ministry for the Environment sent about 150 people each other's private email addresses.