I think knowledge of them would absolutely be a breach, because you wouldn't be able to guarantee that person didn't remember and subsequently misuse them.
If the data was publicly leaked then this argument would have some merit. But it wasn’t, the only people who could have accessed these passwords were insiders, and those passwords were used to protect data that many of them would have access to anyway.
There is no evidence any unauthorised party gained access to any private data as a result of this incident. There is no evidence that any authorised party misused data as a result of this incident. A “breach” that involves no unauthorised access, and no misuse is not a breach.
A control failure occurred, and it was remedied in the most appropriate way possible.
