Breachforums Boss: $700K Healthcare Data Breach Fine
Conor Brian Fitzpatrick, teh administrator of the BreachForums cybercrime forum, faces the forfeiture of nearly $700,000 after a settlement in a data breach case. This significant progress stems from a civil lawsuit filed by Nonstop Health following a 2023 incident where customer data was exposed. Fitzpatrick, also known as “Pompompurin,” is scheduled for resentencing next month, adding another layer to this complex case.The Nonstop Health data breach involved tens of thousands of sensitive records, impacting numerous individuals. This legal outcome highlights the increasing intersection of cybercrime and civil litigation. News Directory 3 is tracking the evolving narrative of this story with the latest facts. With Fitzpatrick’s resentencing looming, discover what’s next for the future of data breach settlements and their effects on cybercriminals.
BreachForums Admin to Forfeit Funds in Data Breach settlement
Updated May 27, 2025
Conor Brian Fitzpatrick, the 22-year-old former administrator of the cybercrime forum BreachForums, will forfeit nearly $700,000 to settle a civil lawsuit. The suit was filed by Nonstop Health, a California-based health insurance company, after customer data was offered for sale on the forum in January 2023. This novel legal outcome highlights the intersection of cybercrime and civil litigation.
Fitzpatrick, also known as “Pompompurin,” is scheduled for resentencing next month after pleading guilty to access device fraud and possession of child sexual abuse material (CSAM). The case underscores the potential financial repercussions for individuals involved in data breaches and cybercrime activities.
The Nonstop Health data breach involved tens of thousands of records, including Social Security numbers, dates of birth, addresses, and phone numbers. Following the breach, class-action attorneys sued Nonstop Health, which then added Fitzpatrick as a third-party defendant in November 2023, months after his arrest by the FBI. Nonstop Health agreed to a $1.5 million settlement in the class action in January 2025.
Jill Fertel,a former prosecutor with Cipriani & Werner,represented Nonstop Health. She noted the rarity of a cybercriminal being named in civil litigation related to a data breach. “Civil plaintiffs are not at all likely to see money seized from threat actors involved in the incident to be made available to people impacted by the breach,” Fertel said.
Mark Rasch, a former federal prosecutor now with Unit 221B, a cybersecurity firm, concurred that the settlement involving Fitzpatrick’s criminal activity is a novel legal development. “It is indeed rare in these civil cases that you know the threat actor involved in the breach, and it’s also rare that you catch them with sufficient resources to be able to pay a claim,” Rasch said.
Despite admitting to operating BreachForums and possessing CSAM, Fitzpatrick initially received a sentence of time served and 20 years of supervised release in January 2024. Federal prosecutors objected, arguing the sentence was insufficient. He was later rearrested for violating his release terms by using a computer without required monitoring software.
Fitzpatrick launched BreachForums in March 2022, after the FBI shut down RaidForums. As administrator, he facilitated the sale of stolen databases, attracting over 300,000 users. A reincarnation of BreachForums was seized in May 2024, with subsequent relaunches experiencing disruptions.
“If you’re going to the darkest corners of Internet, that’s how you prove you’re not law enforcement,” Fertel said. “Law enforcement would never share that material. It would be criminal for me as a prosecutor, if I obtained and possessed those types of images.”
What’s next
Fitzpatrick’s resentencing is scheduled for June 3, 2025. The outcome could set a precedent for future cases involving cybercriminals and data breach settlements, potentially impacting how victims of data breaches seek compensation.