Conor Brian Fitzpatrick, the 22-year-old former administrator of the cybercrime marketplace BreachForums, has agreed to pay nearly $700,000 to settle a civil lawsuit tied to a healthcare data breach. This marks a rare case where an individual directly linked to a data breach faces financial penalties.
BreachForums and Fitzpatrick’s Role
Fitzpatrick, known online as “Pompompurin,” launched BreachForums in March 2022 after the FBI shut down its predecessor, RaidForums. As the site administrator, he vetted stolen databases and managed escrow services for transactions.
Under his leadership, BreachForums grew to over 300,000 users and facilitated the sale of more than 14 billion records. Despite law enforcement efforts—including a recent takedown in April 2025—versions of BreachForums continue to resurface online.
Legal Action Following Healthcare Breach
In January 2023, personal data from Nonstop Health, a California-based insurance provider, appeared for sale on BreachForums. The breach exposed sensitive information, including Social Security numbers, birthdates, addresses, and phone numbers of customers.
In a rare move, Nonstop Health’s lawyers added Fitzpatrick as a third-party defendant in their class action lawsuit in November 2023. This followed his arrest on criminal charges, including conspiracy to commit access device fraud and possession of child sexual abuse material (CSAM).
“This is the first time a cybercriminal has been named in civil litigation related to a breach,” said Jill Fertel, a former prosecutor and current head of cyber litigation at Cipriani & Werner, representing Nonstop Health.
Settlement Details
According to KrebsOnSecurity, Fitzpatrick’s $700,000 payment will contribute to a broader $1.6 million class action settlement reached in January 2025. Class members may claim up to $5,000 for unreimbursed fraud and identity theft costs.
Mark Rasch, a former federal prosecutor with cybersecurity firm Unit 221B, called the outcome unusual. “It’s rare to know the individual behind a breach, and even rarer to find one with assets to pay damages,” he said.
Ongoing Criminal Case
Fitzpatrick’s legal issues are not over. In January 2024, he pleaded guilty to serious charges, including possession of more than 600 CSAM images. He initially received a light sentence of time served and 20 years of supervised release.
However, federal prosecutors appealed, arguing that the punishment was too lenient. Their case was strengthened when Fitzpatrick violated his release terms by using VPNs to access restricted computer systems and by publicly denying guilt on Discord.
In January 2025, the U.S. Court of Appeals overturned the original sentence. Fitzpatrick is now scheduled for resentencing on June 3, 2025.
