A commentary published on SuspectFile by security researcher Marco A. De Felice argues that the healthcare and broader security community spends disproportionate energy on attributing attacks to named threat actors while giving insufficient attention to the conditions that allow those attacks to cause serious harm. The piece identifies what De Felice calls a structural fragility: organizations routinely collect more sensitive data than operations require, store it in centralized repositories, and retain it far beyond any defensible business need. When a threat actor eventually exploits a vulnerability — a near-certainty over a long enough timeline — that accumulated data becomes the damage.

The structural problem

De Felice's argument is not that attribution is useless. It is that attribution without structural reform is incomplete. Knowing which group exploited a vulnerability does not explain why millions of records were available to exfiltrate in the first place. The answer, in most cases, is that organizations built systems optimized for data availability rather than data minimization, and never revisited those design choices as threat environments changed.

For healthcare specifically, the problem is compounded by legacy workflows that treat broad data access as a clinical convenience and by EHR architectures that aggregate records across patient populations into unified databases. A single credential compromise or unpatched internet-facing system can provide an attacker with access to records that took decades to accumulate.

What the incident response gap looks like

The analysis also touches on incident response readiness. Organizations that have not mapped what data they hold, where it lives, and how long it is retained cannot accurately assess blast radius when an incident occurs. That gap delays breach notification timelines, complicates regulatory disclosures to HHS Office for Civil Rights, and inflates remediation costs.

De Felice points to a pattern seen across multiple high-profile incidents: the technical exploitation was relatively straightforward, but the scale of harm was determined by data architecture decisions made years earlier. In that framing, the threat actor is the proximate cause; the organization's data practices are the distal cause that determines severity.

Where this lands for independent practices

Smaller and independent healthcare practices are not exempt from this dynamic. They may lack the data volumes of a large health system, but they frequently lack the governance controls as well — no formal data retention schedules, no regular audits of what the practice management or EHR system is storing, and no documented minimum-necessary policies that are actually enforced at the system level.

Three practice-level questions follow directly from De Felice's analysis:

• What is being collected? Many practices capture data fields during intake or billing that are never used clinically or operationally. Each unnecessary field is residual risk.
• How long is it being kept? HIPAA's minimum retention requirement is six years for covered entity records; some states extend that for medical records. Retaining data beyond applicable requirements serves no compliance purpose and increases exposure.
• How is it centralized? Practices that aggregate data from multiple sources — labs, imaging, patient portals, RCM platforms — into a single environment should assess whether that consolidation is architecturally necessary or merely convenient.

What this signals about the next 12 months

Regulatory pressure on data minimization is increasing. The HHS HIPAA Security Rule update process has reopened questions about access controls and data governance that go beyond encryption and authentication. FTC enforcement actions against non-HIPAA-covered health data businesses have repeatedly cited retention and centralization practices as core violations. The argument De Felice is making analytically is one that regulators are beginning to encode in rules.

Independent practices that treat data governance as a documentation exercise — a policy on paper rather than a setting in a system — are taking on risk that threat actor attribution will never address. The breach may come from a sophisticated ransomware group or from a single phishing email. Either way, the records that leave the organization were there because someone decided to keep them.