A commentary published on SuspectFile by researcher Marco A. De Felice challenges the conventional framing of cybersecurity incidents, arguing that the field spends disproportionate attention on identifying who carried out an attack and not enough on why so much sensitive data was available to steal in the first place. The piece has direct relevance for healthcare organizations, where the volume of retained patient data routinely determines the severity of a breach notification obligation.

The structural problem De Felice identifies

De Felice describes what he calls a structural fragility built into how organizations handle data before any attacker arrives: entities collect large volumes of sensitive records, centralize them for operational convenience, and retain them far beyond what any current business need requires. When an intrusion occurs, that accumulated inventory becomes the exposure.

For independent healthcare practices, this dynamic is familiar. HIPAA's minimum necessary standard and data retention guidelines exist precisely to limit how much protected health information sits in accessible systems at any given time, yet real-world implementations often drift toward keeping everything indefinitely because deletion workflows require deliberate effort to build and maintain.

Attribution versus remediation

The commentary draws a distinction between two types of post-incident activity: investigating the attacker's identity and techniques, and examining the conditions inside the organization that made the attack consequential. Both matter, but De Felice argues the first receives far more public attention and institutional energy than the second.

This asymmetry shapes how organizations prepare. When lessons-learned exercises center on the adversary's toolset, the corrective investments tend to cluster around detection and perimeter controls. When they center on what was exposed and why it existed, the corrective investments shift toward data minimization, access scoping, and retention schedules — changes that reduce damage regardless of how a future attacker gets in.

What this signals for compliance operations

The argument maps onto obligations that already exist under the HIPAA Security Rule. Risk analysis requirements ask covered entities to assess not just threats and vulnerabilities but also the potential impact of a breach — a calculation that is directly sensitive to how much data is retained and how broadly it is accessible within internal systems.

Practices reviewing their own programs should consider several questions the De Felice piece implicitly raises:

• Data inventory completeness. Does the organization have a current map of where protected health information resides, including legacy systems, archived files, and third-party integrations?
• Retention schedule enforcement. Are documented retention periods actually enforced with deletion or de-identification, or do they exist only on paper?
• Access scope. Is access to historical patient records limited to roles with a current clinical or administrative need, or do broad permissions persist from earlier configurations?
• Centralization risk. Has consolidating data for operational efficiency created single repositories whose compromise would trigger large-scale notification obligations?

Where the analysis lands

The structural argument De Felice advances is not new to healthcare compliance practitioners, but its framing as a critique of industry-wide incident analysis is useful. Regulatory enforcement following breaches frequently surfaces the same pattern: organizations that knew data minimization and access controls were deficient but deferred remediation. The attacker's identity in those cases is, ultimately, secondary to the conditions that were already present.