Yes. When mistakes result in a disclosure of PHI to an unauthorized person, you MUST account for that in the database.

Susan must also report the accidental disclosure to her Privacy Officer.