A commentary by Marco A. De Felice, published on SuspectFile and flagged by DataBreaches.net, makes a pointed argument: the security industry's habit of centering incident analysis on who attacked rather than why the damage was so severe may be leaving organizations — healthcare ones in particular — perpetually exposed. The piece identifies what De Felice calls structural fragility, rooted in decades of unchecked data accumulation and centralization, as a more tractable problem than adversary attribution ever will be.
The structural problem
The central claim is that organizations collect far more sensitive data than operational need justifies, then centralize it in ways that convert a single intrusion into a mass-exposure event. For healthcare settings, this pattern is familiar: clinical workflows, billing systems, scheduling platforms, and population-health tools each accumulate records, and the data frequently flows into shared repositories where access controls may not keep pace with growth.
De Felice argues that the question security teams rarely ask in the aftermath of an incident is not "who did this" but "why did we have this much data in one place." Without that second question, the same conditions that enabled one breach remain intact for the next one.
Where attribution focus falls short
Threat-actor identification has genuine value — it feeds threat intelligence programs, informs law enforcement, and can clarify whether an organization is being targeted specifically or swept up in opportunistic campaigns. The commentary does not dismiss that work.
What it challenges is proportionality. When the bulk of post-incident analysis and media coverage concentrates on actor identity, root-cause work on data minimization, retention schedules, and internal segmentation tends to get deferred. For independent practices operating with limited security staff, that deferral can persist indefinitely.
The same dynamic affects tabletop exercises and incident-response planning. Scenarios that begin with "a known ransomware group gains entry" may inadvertently encode the assumption that attacker sophistication is the primary variable, when the actual damage multiplier in most healthcare breaches is the volume and concentration of data the attacker finds on arrival.
What this signals for compliance operations
The Office for Civil Rights has long treated data minimization as a component of the HIPAA Security Rule's broader administrative-safeguard requirements, and the 2024 proposed Security Rule updates placed renewed emphasis on access controls and inventory practices. De Felice's argument aligns with that regulatory direction even if it arrives from a different angle.
For practice administrators, the practical implication is a question of audit priority. A data-flow mapping exercise that asks "what do we collect, where does it go, and how long do we keep it" addresses the structural condition De Felice describes. That work does not require resolving who the next threat actor will be.
What the next 12 months may surface
As HHS moves toward finalizing updated Security Rule requirements, organizations that have deferred data-inventory work will face increasing pressure to demonstrate they have addressed retention and minimization obligations. Enforcement trends show that breach investigations frequently expose gaps in both areas — not because attackers were unusually skilled, but because compromised environments contained years of records with no active business purpose.
The commentary's framing may be useful for compliance officers trying to make the case internally for data-hygiene investment. The argument is not that perimeter defense or threat intelligence should be abandoned, but that the conditions attackers exploit deserve at least equal analytical attention as the attackers themselves.