The patient got a suspended fine, so he isn't going to pay the fine unless he is stupid enough to make the same mistakes again.
The ruling (i've read it) is actually very balanced. This is, in short, what happened. The patient overheard a (weak 4 digit) password accidentally. He didn't take this up with the owner of the password, nor the organisation, nor the software builder. Instead he tried if it worked at home. The judge ruled this normally illegal but acceptable(!) in this case up to the point where it was required to prove he got access to the system. The judge fully acknowledged the bigger interest of the security of a system storing patient data there.
The patient then called Krol, and together they again tried if it worked. He was fined (again, a suspended fine) because he didn't try to contact any of the relevant parties but instead choose to show the password to somebody else. The judge explicitly acknowledged this would have acceptable if the issue wouldn't be fixed after reporting it in a relevant place.
Krol went a bit further (and got a higher fine as a result). After being told about the issue he tested it together with the patient. He downloaded a few files to prove he could actually access the system, which again was deemed acceptable by the judge. He then printed some of those files, anonymized them and called the Diagnostics for You, got a receptionist on the line who asked him to report this in writing so they could look into it. But he didn't, he also didn't push on or try calling somebody else but instead he called the local television station. They came over and filmed him logging in to the system and download patient data again, effectively showing sensible information to journalists instead of getting the issue fixed. This is what got him the fined, illegally accessing and sharing sensitive files even though there was no reason to do so.
This ruling actually provides a nice legal framework for responsible disclosure, it boils down to, it's OK to access systems when there is a bigger interest at stake, but report i at the right places, and keep the breach of privacy to a minimum. And if you go a bit out of your way there, you'll get a slap on the wrist.
Krol go fined, not for hacking but because he didn't do responsible disclosure properly. I've got no issues with that, most of it is common sense really.