A commentary published by researcher Marco A. De Felice on SuspectFile argues that the security community's emphasis on attributing cyberattacks to specific threat actors has displaced the harder, more consequential conversation: why so much sensitive data exists in centralized repositories, largely unprotected, long after any legitimate operational need has passed. The argument is not new, but the timing carries weight as healthcare organizations face both an accelerating breach rate and a regulatory environment that increasingly scrutinizes data minimization failures.

The structural problem

De Felice describes what he terms a structural fragility — the condition created when organizations accumulate sensitive data at scale, centralize it for convenience, and retain it indefinitely without formal governance. In healthcare, that description maps directly onto a widely recognized but inconsistently addressed compliance gap.

HIPAA's minimum necessary standard and its data retention provisions have formal regulatory standing, yet enforcement actions involving excessive retention or unnecessary centralization remain relatively rare compared with breach notification penalties. That asymmetry may itself signal a misplaced emphasis: the industry measures outcomes (breach notifications, enforcement settlements) more than it measures the conditions that produce those outcomes (what data is held, where, and for how long).

The practical consequence is that when a ransomware group or opportunistic attacker does gain access, the blast radius reflects years of accumulation rather than just the intrusion event itself.

Where incident response falls short

The commentary also examines incident response as a discipline that frequently addresses the technical vector of an attack without examining the organizational decisions that determined how much damage was possible. Identifying the exploit used, patching the affected system, and issuing breach notifications are the visible, measurable outputs of a response. Reviewing data inventory policies, reclassifying retention schedules, or decommissioning legacy repositories that held the compromised data rarely appear in post-incident reports.

For independent and mid-size practices, this gap tends to be more pronounced. Smaller organizations often inherit data structures built around operational convenience rather than data governance principles, and formal retention schedules may never have been established. An EHR migration, a billing platform change, or an acquired practice's records can leave data in systems that staff no longer actively monitor but that remain network-accessible.

What this signals about the next 12 months

Regulatory direction from HHS and ONC has moved steadily toward requiring documented data governance controls, not just breach response procedures. The proposed updates to the HIPAA Security Rule published earlier this year included provisions targeting asset inventory and data classification — requirements that speak directly to the structural conditions De Felice describes.

Practices that treat those requirements as documentation exercises rather than operational changes are likely to find themselves exposed on two fronts: to regulators examining whether controls were substantive, and to the breach economics that follow when years of retained data are compromised in a single event.

The analytic point at the center of De Felice's commentary — that knowing who attacked matters far less than understanding what made the attack so damaging — is one that compliance officers in independent practices can apply immediately, without waiting for a regulatory deadline. Auditing what data is retained, where it lives, and whether retention serves a current legal or clinical purpose is not a response to a threat; it is the reduction of one.