The atheletics' governing body said it believed an attack had compromised athletes' TUE applications stored on its servers
In a statement, the IAAF said it believed an attack had compromised athletes' TUE applications stored on its servers, adding that it detected "unauthorised remote access" to the IAAF network on February 21.
However, it admitted it was not sure of information was subsequently stolen from the network.
TUEs are official waivers allowing athletes to use otherwise banned substances for the treatment of legitimate medical conditions.
"Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential," said IAAF president Sebastian Coe.
"They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation and work with the world's best organisations to create as safe an environment as we can."
Last year Fancy Bears leaked medical records held by the World Anti-doping Agency (WADA) which provided details of athletes who had been legitimately taking banned medications under TUEs.
British cyclists Bradley Wiggins and Chris Froome, along with American tennis star Serena Williams and gymnast Simone Biles, who won four gold medals at Rio 2016, were among those to have had their details made public, although there is no suggestion of any wrongdoing on their part.