A commentary published by analyst Marco A. De Felice on SuspectFile argues that the cybersecurity field — and the healthcare sector in particular — spends disproportionate energy identifying threat actors while giving too little attention to the organizational conditions that make each incident so damaging. The piece, flagged by DataBreaches.net, frames excessive data collection and centralized retention as a structural fragility that exists before any attacker arrives.

The structural problem

De Felice's central argument is that attribution — determining who attacked and how they got in — has become the dominant frame for incident analysis, often crowding out harder questions about why so much sensitive data was available to compromise in the first place. The observation applies with particular force to healthcare, where clinical workflows, billing systems, and administrative records converge into dense repositories of demographic, financial, and clinical information retained for years beyond their active use.

The implication is that patching a single exploited vulnerability, or even removing a threat actor from a network, does not address the underlying condition: that organizations have accumulated more sensitive data than any reasonable retention policy would justify, stored in configurations that make lateral movement through it relatively easy once a perimeter is breached.

What this means for incident response practice

The analysis draws a distinction between incident response as practiced — largely reactive, focused on containment and recovery — and incident response as it could be practiced, with a prevention-oriented look at what data existed, why it was retained, and whether centralization served a documented operational purpose. For independent practices and mid-size health systems, that distinction has practical weight. Forensic investigations routinely surface patient records, billing data, and credential stores that staff had forgotten existed, held in legacy systems or shared drives that were never formally decommissioned.

De Felice's framing suggests that every post-incident review should include a data inventory audit — not just a vulnerability scan — as a standard deliverable, and that findings should feed directly into retention schedules and access segmentation decisions rather than being filed as a compliance artifact.

Where this lands for compliance officers

The argument aligns with long-standing HIPAA minimum-necessary and data-retention obligations that many covered entities treat as paper requirements rather than operational disciplines. The Security Rule does not set explicit retention periods for most record types, but it does require covered entities to implement technical safeguards limiting access to the minimum necessary for a given function — a requirement that is difficult to satisfy when data is centralized without documented purpose.

A few practical implications follow from the analysis:

What this signals about the next 12 months

Regulatory attention to data minimization is increasing. The FTC has cited unnecessary data retention in enforcement actions outside healthcare, and HHS Office for Civil Rights has repeatedly noted in settlement agreements that covered entities retained records beyond applicable state law requirements with no documented justification. If that enforcement pattern continues, the cost of treating retention as a low-priority housekeeping matter will rise. De Felice's piece arrives at a moment when the argument for treating data minimization as a first-order security discipline — rather than a compliance checkbox — is gaining traction across the field.