Npower is "urgently investigating" how the personal details of around 5,000 customers were shared with others by post.
The letters included names, addresses and payment amounts - but did not include bank details.
The energy giant has apologised to affected customers and said it had informed the Information Commissioner's Office (ICO) of the data breach.
The letters were a mailing for the company's Feed-In Tariffs scheme for those with solar panels.
Retired GP Dr Tom Harris, from Somerset, told the BBC he received one of the letters over the weekend.
He said: "When I opened it the front page was addressed to me but overleaf were personal details of another customer. And there were another two sheets of A4 with the details of three others."
He said when he contacted Npower "they didn't seem unduly surprised" and that the company "was aware of other people in the same situation".
An Npower spokeswoman said: "We're urgently investigating how this occurred with our fulfilment partner, who sent the mailing on our behalf.
"We apologise for this error, especially to the customers whose information was incorrectly shared - around 5,000 in total."
Under the new General Data Protection Regulation which came into force in May, Npower could be liable for hefty fines, up to EUR20m, or four per cent of the group's annual turnover - plus more in legal suits if a breach causes serious harm to those whose details were disclosed.
Businesses have also have new responsibilities to ensure they can demonstrate their own compliance to the regulator and can be fined for non-compliance, not just a breach. Npower's breach will likely lead to an audit by the ICO to find any other gaps in their practices.
An ICO spokeswoman confirmed: "Npower has made us aware of an incident and we are making enquiries."
Additional reporting by Press Association.
