Data retention poses a lurking threat in healthcare

A comparative analysis of retention mandates across different global regions reveals a clear trend: Most healthcare systems store data for 7–10+ years, even as over 90% of that data goes unused for clinical care.

The result? An ever-expanding attack surface, inflated storage costs, and diminishing returns on digital investment. New privacy laws, such as the EU’s General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection (DPDP) Act, promote data minimization and purpose-bound storage. At the same time, decentralized models such as Estonia’s federated architecture and India’s Ayushman Bharat Digital Mission (ABDM) are shifting the focus of control toward patients. However, while ABDM enables long-term digital access to health records, it does not mandate deletion, creating a risk of indefinite storage unless DPDP’s data lifecycle mandates are actively enforced. Some of the key trends emerging from our comparison of data retention rules across regions include:

• Over-retention is the norm, and it’s putting systems at risk
  Over half of the surveyed countries mandate healthcare data retention beyond a decade. France and Brazil require data to be stored for 20 years, and Estonia allows up to 30 years. While these policies may be designed to protect against legal risk, they create massive troves of outdated, sensitive data that offer little clinical value but remain highly vulnerable to breaches.
• Legal ambiguity is fueling inertia, especially in the US and India
  The US does not have a federal retention mandate, placing the responsibility on states, which vary in duration from 6 to 11 years. In India, while paper-based systems were once recommended for just 3 years, digital transformation through ABDM has enabled long-term record accessibility. However, the newly enacted DPDP Act explicitly requires data to be deleted once its purpose is fulfilled, a mandate many providers have yet to operationalize. The result is a ‘keep everything just in case’ approach that expands breach risk without strategic benefit.
• Data minimization is rising in law but lagging in practice
  Both GDPR and DPDP codify the principle of storing data only ‘as long as necessary.’ Yet, enforcement and implementation are inconsistent. Estonia stands out with its patient-consented, federated health data system where no central database exists, and access is limited to what’s needed and when needed. It’s a blueprint for balancing innovation and privacy that others can learn from.

The Bottom Line: Shrinking how long you store data is the smartest security you can buy.

Enterprise healthcare leaders can’t afford to defend everything forever. By aligning legal, IT, and clinical operations around risk-tiered data retention and embracing federated, purpose-bound access models, they can dramatically reduce the attack surface, improve compliance, and lower breach impact. The future isn’t just about protecting more; it’s about storing less and being smarter.