A commentary published on SuspectFile by analyst Marco A. De Felice argues that the cybersecurity field directs disproportionate attention toward identifying who carries out attacks while giving far less scrutiny to why so many attacks succeed. The piece describes what De Felice calls a structural fragility — a pattern in which organizations accumulate large volumes of sensitive data, concentrate it in centralized repositories, and hold it far longer than operational need requires, creating conditions that make any eventual compromise far more damaging than it would otherwise be.

The structural problem

The argument is not that threat-actor attribution is useless. It is that attribution dominates post-incident analysis at the expense of harder, slower questions about why so much data was available to be taken in the first place.

For healthcare organizations, the critique lands with particular force. Clinical workflows generate dense records across decades of patient contact. Regulatory retention requirements set floors, not ceilings, yet many practices treat those minimums as implicit guidance to retain everything indefinitely. The result is that a single compromised credential or unpatched system can expose records far beyond what any immediate treatment relationship would justify.

Centralization compounds the exposure. Consolidating data across departments, facilities, or partner systems into unified platforms improves workflow efficiency but also concentrates risk. When the consolidated store is breached, the blast radius extends across every data source that fed it.

What incident response misses

De Felice's broader point is that incident response, as commonly practiced, answers forensic questions — how the attacker got in, what tools they used, which vulnerability they exploited — without systematically asking what data governance decisions made the outcome this severe.

That gap matters operationally. A practice can patch the exploited vulnerability, revoke the compromised credentials, and notify affected individuals, and still carry forward the same structural conditions that made the breach significant: the same data volumes, the same retention schedules, the same centralized architecture. The next incident, whether from the same threat actor or a different one, inherits the same risk profile.

Incident response plans that include a data-minimization review as a standard post-incident step — not just a technical remediation checklist — address this gap directly.

Where this lands for independent practices

Independent practices rarely have dedicated data governance staff, which makes the structural critique more urgent, not less. Without explicit policies, data tends to accumulate by default. Forms are scanned and stored. Old EHR exports sit on shared drives. Lab interfaces write to databases that no one audits for retention compliance.

Three areas warrant regular review:

What this signals about the next 12 months

Regulatory attention is moving in the same direction the commentary describes. Proposed updates to the HIPAA Security Rule have renewed focus on data inventory and asset management requirements that implicitly address over-retention. The FTC has also signaled interest in data minimization as a standalone enforcement consideration, separate from breach notification.

Organizations that treat data minimization as a compliance checkbox rather than an ongoing operational discipline will find the gap between their practices and regulatory expectations widening. The more consequential shift, though, is internal: treating the volume and concentration of retained data as a risk factor to be managed actively, not a background condition to be accepted.