A commentary published on SuspectFile by analyst Marco A. De Felice argues that the healthcare and broader data-intensive sectors have developed a blind spot: incident response and threat-actor attribution absorb most organizational attention, while the conditions that amplify breach damage — collecting more data than necessary, centralizing it, and holding it longer than required — receive far less scrutiny. The argument has direct relevance for independent practices, which often inherit data-accumulation habits without the enterprise resources to defend them.
The structural problem De Felice identifies
De Felice's central claim is that the question "who attacked us?" has crowded out the more tractable question of "why did we have so much to lose?" He describes this as a structural fragility: organizations that continuously expand the volume and sensitivity of the data they hold are, by definition, expanding the blast radius of any future incident regardless of who carries it out.
For healthcare specifically, this pattern is well-documented. Covered entities and business associates routinely retain records beyond minimum necessary periods, aggregate data across systems for operational convenience, and build centralized repositories that become high-value targets. Each of those choices is a policy decision, not an inevitability.
Why incident response alone is insufficient
Investing in detection and response capabilities is necessary but addresses the problem only after the exposure is created. De Felice's analysis suggests that treating breach economics as a function of attacker sophistication misses the variable that organizations can most directly control: the size and accessibility of the data surface.
A practice that collects only what it needs, retains records only as long as required under applicable rules, and segments sensitive data rather than pooling it, presents a structurally smaller target. Attackers may still succeed, but the consequential harm — to patients, to operations, to regulatory standing — is proportionally reduced.
Where this lands for independent practices
Independent practices face particular exposure here. Administrative convenience frequently drives data-handling decisions at smaller organizations, where there is no dedicated privacy officer reviewing collection scope. Several patterns recur:
- Retention beyond legal minimums. State law and HIPAA establish floors and ceilings for record retention; practices that never revisit their retention schedules accumulate years of unnecessary exposure.
- Centralization without segmentation. Consolidating patient records, billing data, and staff credentials into a single system or shared drive simplifies daily workflows but concentrates risk.
- Collection scope creep. Intake forms, patient portals, and scheduling tools are regularly expanded to capture demographic and social determinants data without a corresponding review of whether that data is ever used clinically.
What this signals about the next 12 months
The argument De Felice advances aligns with a direction regulators have been signaling. The HHS Office for Civil Rights has, in recent enforcement actions, cited failure to implement minimum necessary standards as a contributing factor in breach severity. The revised HIPAA Security Rule notice of proposed rulemaking published in early 2025 included provisions that would require more explicit documentation of data access controls and asset inventories — both of which presuppose that organizations know what they are holding and why.
Practices that treat data minimization as a compliance checkbox rather than an ongoing operational discipline are likely to find themselves exposed both to breach consequences and to heightened regulatory scrutiny as enforcement priorities catch up with the structural critique De Felice is making.