AI in Medical Imaging Raises New Privacy Risks: What Patients Should Know
Introduction
Artificial intelligence is transforming radiology. Algorithms can now analyze CT scans, MRIs, and X-rays faster than human eyes, helping doctors detect tumors, fractures, and other abnormalities earlier. For patients, this means better diagnoses and fewer delays. But there is a trade-off that rarely makes it into the promotional materials: the same AI tools that improve care also create new ways for personal health data to be exposed, shared, or misused.
A recent report from the Radiological Society of North America (RSNA) highlights how “medical imaging AI opens a Pandora’s box of privacy-related risks.” This article walks through what that means for you and, more importantly, what you can do about it.
What Happened?
In May 2026, RSNA published a detailed analysis of the privacy vulnerabilities introduced when AI is used on medical images. The core issue is that AI systems don’t just look at a single scan and then forget it. To learn, they need large datasets—often thousands of images, sometimes millions. Those datasets may contain not only the images themselves but also metadata: patient names, dates of birth, medical record numbers, and sometimes sensitive details about the condition being scanned.
The report notes that imaging data is particularly vulnerable because a scan contains far more information than a simple blood test result. A chest X‑ray can reveal body shape, bone structure, organ size, and even indicators of rare genetic conditions. Done improperly, sharing such data for AI training could lead to re‑identification of individuals even after names are removed.
The RSNA isn’t saying this is happening everywhere, but the risks are real and growing as AI adoption accelerates. The organization is calling for clearer standards around consent, data de‑identification, and the secondary use of medical images.
Why Does This Matter for Patients?
You may assume that any medical image you have taken is protected by HIPAA (the Health Insurance Portability and Accountability Act). And for most day‑to‑day uses—your doctor looking at the scan, sharing it with a specialist, sending it to insurance—that’s true. But when a hospital or imaging center supplies that same image to an AI developer as part of a training dataset, HIPAA’s protection can become murky.
The law generally allows de‑identified data to be used without patient consent. But the definition of “de‑identified” is not as airtight as many people think. Studies have shown that faces can be reconstructed from CT scans, and that body‑metric data (like spine shape or vein patterns) can be used to identify individuals. If the data is later breached or shared with a third party that the patient never authorized, the consequences can include identity theft, insurance discrimination, and loss of privacy that cannot be undone.
There’s also the consent question. Many patients sign a generic “consent for treatment” form that technically permits the facility to use their data for research and teaching. Few forms explicitly mention AI training. And even when they do, the language is often buried in fine print. The RSNA report emphasizes that patients are rarely given a meaningful opportunity to opt out.
What Can You Do to Protect Your Privacy?
You don’t need to refuse imaging—that could harm your health. But you can take steps to stay informed and limit unnecessary data sharing.
Read the consent form before you sign. Ask the front desk or the radiology technician whether the facility shares images with any AI systems or third‑party developers. If they don’t know, ask for the privacy officer. If the form says “we may use your data for research,” ask if that includes commercial AI training. You have the right to know.
Request an opt‑out where available. Some hospitals now allow patients to decline data sharing for AI development. This is not universal, but it’s worth asking. Even if you are told no, the request creates a paper trail and signals that patients care about this issue.
Use patient portals for image access. Many facilities let you download your own images via an encrypted portal. Requesting access this way ensures that your images are not automatically routed into a training pipeline without your knowledge. Keep your own copies, and be cautious about sharing them with third‑party “second opinion” apps unless you verify their privacy policies.
Ask about de‑identification. If the facility does share images for AI development, ask what steps are taken to remove personally identifiable information (PII). “De‑identification” can mean anything from stripping obvious fields like name and date of birth to applying more rigorous techniques that also remove facial features and other biometric markers. Not all methods are equal.
File a complaint if you suspect misuse. If you discover that your images were shared without your consent and in violation of the facility’s stated policy, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) under HIPAA. While this won’t undo the disclosure, it can trigger enforcement actions that protect other patients.
Sources
- Radiological Society of North America (RSNA), “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks,” May 2026.
- U.S. Department of Health and Human Services, HIPAA Privacy Rule, 45 CFR Parts 160 and 164.
- Additional reports on consent practices in radiology AI, presented at RSNA 2025 and 2026.
The landscape is still evolving. No single piece of advice will guarantee complete privacy, but asking questions and reading the fine print puts you far ahead of the average patient. As AI becomes more deeply integrated into healthcare, informed patients will be the ones who keep the system honest.