BreachForums Admin to Pay $700,000 in Health Care Data Breach

Key Takeaways

• Fitzpatrick, also known by his alias “Pompompurin,” is being held financially accountable in civil court for his role in facilitating the sale of stolen patient data.
• This is one of the few cases where a dark-web forum operator is being named in a civil lawsuit alongside a breach victim.
• The forfeited money links to a broader class action settlement aimed at compensating victims of a medical insurer’s leak.

Key Facts

• BreachForums grew out of the closure of RaidForums and became a major online marketplace for stolen data.
• As administrator, Fitzpatrick vetted databases for sale, operated escrow services, and oversaw forum operations with more than 300,000 users and over 14 billion records of leaked data.
• The specific breach involved Nonstop Health, a California insurer. In 2023, their data (SSNs, birthdates, addresses, phone numbers) was posted for sale on BreachForums.
• In 2023, Nonstop Health added Fitzpatrick as a defendant in their class complaint, making him directly financially liable for data breach damages.
• Fitzpatrick had already faced criminal charges—pleading guilty to access device fraud and possession of child sexual abuse material—and previously received a light sentence. He also committed violations post-release (e.g. accessing restricted systems), which led an appeals court to vacate the initial sentence.

Implications

• The case sets precedent: cybercrime actors may not be beyond civil liability even if law enforcement steps are pursued separately.
• This move bridges civil and criminal accountability, making operators of illicit forums more exposed in multiple legal arenas.
• For breach victims, it offers a pathway to recovery by targeting financial gains of intermediaries, not just attackers.
• The forum ecosystem may shift risk models—future operators may face scrutiny from victims’ lawyers even beyond law enforcement.