IMO this is illegal big time, and a huge info security risk. In fact, I remember reading an enforcement action a while back about someone who did this and they were barred from ever working again in a financial institution. I believe it was the OCC who levied the penalty.
It is also most likely a violation of their employment agreement as a theft of information. Lastly, it could (and should) be a violation of your info security policy just by virtue of the fact that this person used email, which is not secure, to transmit protected customer info.
As far as a SAR filing, You can certainly do so if you wish. Even though it may not meet the minimum amount where you have to report, you always have the option of reporting under that amount if you determine it to be appropriate in good faith. FWIW, I would.
I've just writed a wrong.