Your 4 factor analysis will help you to determine if it is a breach or not. At the very least it appears to violate the "minimum necessary" rule. I would bring this to your Compliance Committee or upper management, whoever would be involved in making that kind of decision and determine who in the organization really needs the marketing report and what information do they need. A simple policy and procedure for the Marketing person/dept. to guide them in what information to include and who to share it with, and how to share it (encrypted email, etc) should alleviate any future problems.
Michael Scudillo, OTR, CHC Chief Compliance Officer/Privacy Officer Universal Institute / Therapeutic Rehabilitation