Breachforums Boss to Pay $700k in Healthcare Breach
In a rare and novel legal outcome, the administrator of the notorious cybercrime community Breachforums has been ordered to forfeit nearly $700,000 as part of a settlement with a health insurance company whose customer data was posted for sale on the forum in 2023.
Conor Brian Fitzpatrick, also known as "Pompompurin," pleaded guilty to access device fraud and possession of child sexual abuse material (CSAM) and is slated for resentencing next month after his initial sentence was vacated by a federal appeals court. The settlement is being hailed as a significant development in the fight against cybercrime.
The breach, which occurred on January 18, 2023, saw tens of thousands of records, including Social Security numbers, dates of birth, addresses, and phone numbers, stolen from Nonstop Health, an insurance provider based in Concord, California. The data was posted for sale on Breachforums, where it was bought by several individuals and groups.
Class-action attorneys sued Nonstop Health, which added Fitzpatrick as a third-party defendant to the civil litigation in November 2023, several months after he was arrested by the FBI and criminally charged with access device fraud and CSAM possession. The lawsuit sought damages for the breach and other related harm caused to affected individuals.
As part of the settlement, Fitzpatrick will forfeit nearly $700,000, while Nonstop Health agreed to pay $1.5 million to settle the class action in January 2025. Jill Fertel, a former prosecutor who runs the cyber litigation practice at Cipriani & Werner, said that this is the first and only case where a cybercriminal or anyone related to the security incident was actually named in civil litigation.
"Civil plaintiffs are not at all likely to see money seized from threat actors involved in the incident to be made available to people impacted by the breach," Fertel said. "The best we could do was make this money available to the class, but it's still incumbent on the members of the class who are impacted to make that claim."
Mark Rasch, a former federal prosecutor who now represents Unit 221B, a cybersecurity firm based in New York City, said that he doesn't doubt that the civil settlement involving Fitzpatrick's criminal activity is a novel legal development.
"It is rare in these civil cases that you know the threat actor involved in the breach, and it's also rare that you catch them with sufficient resources to be able to pay a claim," Rasch said. "Despite admitting to possessing more than 600 CSAM images and personally operating Breachforums, Fitzpatrick was sentenced to time served and 20 years of supervised release. Federal prosecutors objected, arguing that his punishment failed to adequately reflect the seriousness of his crimes or serve as a deterrent."
Further details on the case are available in a redacted screenshot of the Breachforums sales thread, which shows how the stolen data was being sold for profit.