A commentary published on SuspectFile by Marco A. De Felice argues that the healthcare and broader security community spends disproportionate energy on identifying who carried out an attack while giving far less attention to the organizational conditions that made the attack damaging. The argument is not new, but the framing is pointed: De Felice calls this a structural fragility — a pattern in which institutions continue to accumulate large volumes of sensitive data, centralize it, and retain it far longer than operational necessity requires, leaving a concentration of risk that any successful intrusion can exploit.

The structural problem

The critique centers on a gap between how incidents are publicly discussed and how they are internally resolved. Attribution — naming a ransomware group, a nation-state actor, or a specific vulnerability — tends to dominate post-incident reporting. That focus satisfies a narrative demand and sometimes informs threat intelligence sharing, but it does not address why a single intrusion can expose years of patient records across an entire health system.

De Felice points to data minimization and retention discipline as under-examined levers. Organizations that collect only what they need, segment what they hold, and enforce deletion schedules reduce the ceiling on any given breach. The problem, as the analysis describes it, is that those practices are treated as compliance checkboxes rather than as continuous operational controls with measurable outcomes.

Where incident response fits

The commentary also challenges the assumption that incident response capacity is adequate once an organization can detect and contain an intrusion. Detection and containment address the acute phase, but they do not reverse the damage done by data that was already aggregated and exposed. De Felice's framing suggests that response planning needs to work backward from data architecture — asking what would be accessible if perimeter controls failed — rather than forward from a playbook triggered after the fact.

For independent and mid-size healthcare practices, this distinction is operationally significant. Practices that have grown through acquisitions, expanded telehealth infrastructure, or migrated to centralized EHR platforms frequently carry legacy data stores that predate current retention policies. Those stores are rarely audited for what they still contain or whether continued retention serves a documented clinical or legal purpose.

What this signals for compliance operations

The practical implication of the argument is that security reviews should include a data inventory audit as a standing activity, not a one-time implementation task. Knowing what categories of protected health information exist, where they are stored, how long they have been retained, and which systems can access them is prerequisite to any meaningful risk analysis under the HIPAA Security Rule — yet audit findings consistently show this documentation is incomplete or outdated at the time of a breach investigation.

The commentary does not offer a ranked remediation list, and it makes no claims about specific breach events. Its value is diagnostic: it identifies a pattern in which the security conversation defaults to adversary behavior while the conditions that determine breach severity — data volume, centralization, and retention — receive attention only after regulators or litigants demand it. Practices that treat data minimization as an active discipline rather than a periodic exercise are, by this analysis, reducing their exposure in a way that threat-actor attribution cannot.