A commentary published on SuspectFile by Marco A. De Felice argues that the cybersecurity field — and healthcare in particular — spends a disproportionate amount of energy identifying who carried out an attack rather than examining why the attack caused so much harm. The piece points to what De Felice calls structural fragility: the accumulated effect of decisions to collect, centralize, and hold on to sensitive data far beyond operational necessity. That pattern, he contends, is a precondition for catastrophic breach outcomes, regardless of which adversary pulls the trigger.

The structural problem

De Felice's core argument is that attribution-heavy incident analysis treats each breach as a discrete event caused by an external actor, when the more durable problem is organizational. Sensitive data that should not exist, or should not be centralized, keeps surfacing in breach disclosures. The attacker changes; the volume of exposed records does not.

For healthcare, this framing carries specific weight. Protected health information accumulates across EHR systems, billing platforms, lab interfaces, and legacy archives. Many of those records serve no active clinical or administrative purpose but remain accessible because no one has built — or enforced — a retention policy capable of removing them.

What this means for data minimization discipline

The commentary implicitly reframes data minimization not as a compliance checkbox but as a direct control on breach magnitude. An organization that retains ten years of patient records with no legal hold obligation has a materially larger exposure surface than one that enforces defined retention windows and purges accordingly.

That distinction matters when incidents do occur. Breach notification obligations, litigation exposure, and patient harm all scale with record count and data sensitivity. Reducing what is held, and limiting where it is centralized, reduces the ceiling on worst-case outcomes — independent of whether the next attack is blocked at the perimeter.

Incident response as a separate failure mode

De Felice also draws attention to incident response quality as a variable that receives less scrutiny than it should. Detection latency, incomplete containment, and slow notification pipelines compound initial exposure. The piece suggests these failures are often treated as execution problems specific to one incident rather than symptoms of a practice that has not been tested or resourced adequately.

Independent practices are particularly exposed here. Without dedicated security operations capability, tabletop exercises, or tested communication trees, response to a ransomware or unauthorized-access event frequently stalls — extending the window during which data is accessible and delaying the 60-day breach notification clock that OCR enforces under the HIPAA Breach Notification Rule.

Where this lands for compliance operations

The argument De Felice advances does not diminish the importance of preventive controls — patching, access management, multi-factor authentication, network segmentation. It challenges the assumption that identifying the attacker explains the outcome. Two organizations with identical perimeter controls can produce radically different breach outcomes depending on how much data each held, how centralized it was, and how quickly each contained the event.

For practice administrators and compliance officers, the practical read is straightforward: threat intelligence and vulnerability management address one dimension of risk, but data inventory, retention enforcement, and incident response readiness address a different dimension — one that determines impact after a control fails. Treating those two dimensions as separate workstreams, each with defined ownership and tested procedures, reflects the approach De Felice's analysis points toward.