Health Care Data Breach Costs BreachForums Admin $700,000 Fine

Conor Brian Fitzpatrick, the 22-year-old former administrator of cybercrime forum Breachforums, will forfeit approximately $700,000 to settle a civil lawsuit stemming from a healthcare data breach.

The settlement marks a rare instance where a cybercriminal’s assets will directly compensate victims of a data breach.

Fitzpatrick, known online as “Pompompurin,” faces resentencing next month on separate criminal charges of access device fraud and possession of child sexual abuse material (CSAM).

The civil case against Fitzpatrick represents a significant legal milestone. Jill Fertel, who leads the cyber litigation practice at Cipriani & Werner representing Nonstop Health, confirmed this is the first case where a cybercriminal was directly named in civil litigation related to a data breach.

“Civil plaintiffs are not at all likely to see money seized from threat actors involved in the incident to be made available to people impacted by the breach,” noted Fertel.

Former federal prosecutor Mark Rasch emphasized the rarity of such outcomes, stating that identifying threat actors with sufficient resources to pay claims is exceptionally uncommon.

Nonstop Health, a California-based insurance provider, agreed to pay $1.5 million to settle a broader class action in January 2025, with Fitzpatrick’s forfeiture contributing to victim compensation.

Breach Details and Criminal Proceedings

The underlying breach occurred in January 2023, when Breachforums users advertised the sale of tens of thousands of Nonstop Health customer records containing Social Security numbers, dates of birth, addresses, and phone numbers.

Fitzpatrick, who launched Breachforums in March 2022 following the FBI’s takedown of a similar forum called RaidForums, personally vetted databases for sale and provided escrow services for transactions.

His site rapidly grew to over 300,000 users before being repeatedly targeted by law enforcement operations.

Despite admitting to possessing over 600 CSAM images and operating the criminal forum, Fitzpatrick initially received a lenient sentence of time served with 20 years of supervised release in January 2024.

This sentence was vacated after prosecutors successfully appealed, arguing it failed to reflect the seriousness of his crimes.

Cybercrime and Legal Enforcement

The case highlights growing connections between cybercriminal communities and more serious offenses.

Investigators frequently discover CSAM on devices seized from cybercrime suspects, with some forums reportedly requiring new members to share such material to prove they aren’t law enforcement.

“If you’re going to the darkest corners of Internet, that’s how you prove you’re not law enforcement,” Fertel explained.

The FBI has continued efforts against such platforms, seizing reincarnations of Breachforums as recently as last month.

Fitzpatrick’s resentencing, scheduled for June 3, 2025, may establish more appropriate penalties for those who facilitate massive data breaches that compromise sensitive personal information of thousands of individuals.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!