Healthcare organizations that invest heavily in threat intelligence and attacker attribution may be solving the wrong problem first. That is the central argument in a recent analysis by Marco A. De Felice, writing on SuspectFile, which contends that an industry-wide fixation on identifying who attacks has displaced serious examination of why so many attacks succeed — and what structural conditions allow them to cause such large-scale harm when they do.

The structural problem

De Felice describes what he calls a pattern of structural fragility: organizations continue to collect, centralize, and retain far more sensitive data than any given business function requires. When a threat actor — skilled or opportunistic — finds a way in, that fragility converts a limited intrusion into a mass-exposure event. The accumulation itself becomes the hazard.

This framing has direct implications for healthcare. The sector is both a high-value target and a historically heavy accumulator of personal health information, financial records, and insurance data, often across systems that were integrated for clinical convenience rather than designed with data-separation discipline. A single compromised credential can traverse years of consolidated records.

What attribution alone cannot fix

Knowing the identity or affiliation of an attacker does not change the volume of data that was exposed, does not reduce the harm to affected individuals, and does not alter the retention schedules or architecture decisions that made mass exposure possible. De Felice's analysis argues that incident response planning and post-incident reporting place disproportionate weight on the "who" — often because regulators, insurers, and the press demand a named actor — while the "how much data was there and why" receives comparatively little scrutiny.

For independent practices, this gap matters in a concrete way. A small practice running a single EHR instance may feel insulated from enterprise-scale breaches, but centralized billing, clearinghouse connections, and third-party scheduling platforms mean that locally generated data often flows into aggregated repositories the practice does not directly control or audit.

Where this lands for independent practices

The analysis points toward a set of disciplines that reduce harm potential regardless of who the eventual attacker turns out to be:

• Data minimization at collection — retaining only the fields a specific clinical or billing function requires, rather than archiving complete records by default.
• Retention schedule enforcement — treating aging data as a liability rather than a passive asset, and applying deletion or de-identification timelines consistently.
• Architectural separation — avoiding the consolidation of unrelated data categories into single repositories purely for administrative convenience.
• Incident response scoped to exposure volume — building response plans that account for what was accessible, not only what forensics eventually determines was exfiltrated.

None of these controls depends on knowing the attacker's identity. Each reduces the ceiling on harm before an incident occurs.

What this signals about the next 12 months

Regulatory attention at both the federal and state level has been moving — slowly but measurably — toward data minimization standards. The HHS Office for Civil Rights has repeatedly cited impermissible disclosures tied to excessive retention and over-broad system access in its enforcement resolutions. Proposed revisions to the HIPAA Security Rule lean into risk analysis requirements that, read carefully, implicate data inventory and scoping decisions, not just technical safeguards.

De Felice's argument is that the industry will keep producing large breach disclosures at scale until structural data habits change — and that no threat-intelligence program, however sophisticated, substitutes for that work.