Again in February, HHS said it had also gotten Massachusetts General Hospital to agree to pay $1 million to settle HIPAA violation charges.

Peel said it is hard to know if the settlement amount is even close to adequate without knowing how many people might have been impacted by the snooping. But based on current health care data breach statistics, the assessed fine was probably "extremely low."

"Clearly this settlement was intended to signal that it's time at last for the health care industry to beef up data and protect patients' sensitive health data from snooping and misuse," she said.

Even so, the fine and corrective action plan do little to protect the unknown number of victims whose private data was compromised by the snooping, she said. Everyone who was a patient at UCLA between 2005 and 2009 should be getting credit monitoring and medical ID theft monitoring services, she said.

Peter MacKoul, president of consulting firm HIPAA Solutions, said the settlement underscores why health care entities need to have both technical controls and business processes for controlling access to protected data.