A commentary published on SuspectFile by analyst Marco A. De Felice argues that the healthcare and broader security community has developed a costly blind spot: the relentless effort to attribute attacks to specific threat actors draws attention away from the organizational conditions that make those attacks so damaging. For independent practices and mid-size health systems, the argument lands with particular force, because those organizations frequently lack the incident-response infrastructure that could limit harm once a bad actor is already inside.

The structural problem De Felice identifies

De Felice's central claim is that excessive data collection, centralization, and long-term retention create what he calls a structural fragility — a standing condition that converts any successful intrusion into a high-consequence event regardless of who launched it. The attacker's identity becomes almost secondary when the architecture itself guarantees that a single point of failure exposes years of sensitive records.

For covered entities, this framing reframes a familiar compliance question. HIPAA's minimum-necessary standard and its data-retention requirements have long existed as policy guardrails, but De Felice's analysis suggests they are routinely treated as documentation exercises rather than engineering constraints. The practical result: organizations hold far more protected health information than active care delivery requires, and that surplus data sits available for exfiltration.

Where incident response enters the picture

The commentary also challenges the sequencing that many organizations apply when a breach occurs — a heavy investment in forensics and attribution, followed by slower action on containment and notification. De Felice suggests this sequence privileges intelligence value over patient harm reduction, and that the asymmetry is not defensible when response timelines directly affect how much data leaves the environment.

For compliance officers at independent practices, this maps to a concrete operational question: when the playbook activates, does it prioritize cutting off access and assessing what was exposed, or does it spend the first hours trying to identify the attacker? The answer has direct bearing on whether a 60-day breach notification window is used productively or reactively.

What this signals for data governance practice

The analysis stops short of prescribing specific controls, but the implication for healthcare organizations is clear enough. Data governance decisions made long before any incident — what to collect, how long to keep it, where to centralize it — determine the blast radius of a breach more reliably than any single defensive technology deployed at the perimeter.

Three areas where that logic applies directly to independent practices:

• Retention schedules tied to clinical need. Records kept past their operational purpose exist only as liability. Aligning retention periods to actual care and legal minimums reduces exposure without requiring additional security tooling.
• Centralization review. Aggregating patient records into unified repositories for administrative convenience creates concentration risk. Practices should periodically examine whether that consolidation serves care delivery or primarily serves reporting and billing convenience.
• Response sequencing in the incident plan. Incident response plans that front-load containment — isolation, access revocation, exposure scoping — before attribution work reflect the priority order that limits patient harm.

What independent practices should check

De Felice's framing is a useful prompt for a self-assessment that does not require a security team. A practice administrator can ask four questions without any specialized tooling: What categories of patient data does the organization hold? How far back does that data go, and why? Where is it stored, and how many systems touch it? And when the incident-response plan was last tested, did containment happen before or after the effort to understand who was responsible?

The answers tend to reveal whether a practice's data discipline matches its documented policies — and whether the gap between the two is the kind of structural fragility that makes attacker identity, ultimately, beside the point.