It would depend on whether the procedure would cause or has a high likelihood of causing an unauthorized use or disclosure. So, for example, if a patient were to request this data and it were released to them, it would be an unauthorized disclosure if it had other patient names on it. I would need more information before I could answer definitively but the procedure seems sloppy at best.