When You Get an MRI, Where Does Your Data Go? AI Privacy Risks in Medical Imaging
If you’ve had an X-ray, MRI, or CT scan recently, there’s a good chance that artificial intelligence helped a radiologist interpret your images. AI tools are being deployed in hospitals to speed up diagnosis, flag abnormalities, and reduce human error. But as these systems become more common, a critical question is being raised by experts: what happens to your medical images once AI gets a look at them?
A recent report from the Radiological Society of North America (RSNA), titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” highlights several ways patient data can be exposed when AI enters the radiology workflow. The findings are worth understanding, especially if you’re scheduled for an imaging procedure.
What Happened
The RSNA report, published in May 2026, warns that the use of AI in medical imaging introduces privacy vulnerabilities that many patients—and even some providers—may not fully appreciate. According to the report, these risks include the possibility that medical images could be re-identified even after anonymization, that data may be shared with third-party AI vendors without explicit patient consent, and that breaches of cloud-based imaging systems could expose sensitive health information.
The report draws on known gaps in current data protection practices. For example, de-identified medical images can often be matched back to individuals using metadata (e.g., scan dates, patient age, or facility location) or by comparing image features against public databases. AI training datasets, sometimes sourced from hospitals or academic centers, may also contain images that were originally collected for clinical care but later repurposed without patients’ knowledge.
Why It Matters
Medical images are not just pictures of your bones or organs. They contain rich biometric data—your unique anatomy, implant serial numbers, facial features in head scans—that can be used to identify you. If this data is accessed by an unauthorized party, it could lead to privacy violations, discrimination by insurers or employers, or even identity theft.
The RSNA report notes that many AI tools process images in the cloud, which means data travels from the hospital to a vendor’s servers. While encryption is often used, the transfer itself creates additional points of vulnerability. And unlike a paper medical record, a digital image can be copied infinitely and shared widely without your knowledge.
There are also cases where patients are not given a meaningful choice about whether their images are used for AI training. Consent forms may be vague, or patients may be asked to sign broad research permissions without understanding the implications. A 2023 study published in the Journal of the American College of Radiology found that only about half of patients surveyed were aware that their de-identified medical data could be used for AI development without their explicit consent.
What Readers Can Do
You don’t need to become a privacy expert, but you can take a few practical steps to protect your medical imaging data:
Ask your radiology department about AI. Before your scan, ask whether AI tools will be used to analyze your images, and if so, whether your data will be shared with any third-party vendors. Some hospitals are transparent about this; others may not have a clear policy. The question itself signals that you care about privacy.
Read the consent form carefully. Many imaging facilities include a research consent clause. If you don’t want your images used for AI training or any secondary purpose, you can ask to opt out. Under HIPAA, you generally have the right to request restrictions on how your protected health information is used, though this right is not absolute for all secondary uses.
Limit sharing to necessary purposes. If your images need to be sent to another provider (e.g., a specialist), that’s part of your care. But if you are asked to contribute to a research database or AI training set, you can say no. You are not required to participate.
Ask about encryption and data retention policies. While you won’t get a technical deep dive, a simple question like “How long are my images stored, and are they encrypted?” can prompt the facility to review its practices. Some facilities may not have a ready answer, but your question can encourage them to look into it.
Stay informed about your rights. HIPAA gives you rights to access your medical records, request corrections, and receive an accounting of disclosures. If you suspect your data was used without authorization, you can file a complaint with the U.S. Department of Health and Human Services. In the EU, GDPR provides additional protections, including the right to know if your data is being used for automated decision-making.
The Future Outlook
The RSNA report is part of a broader conversation among radiologists, data scientists, and privacy advocates about how to balance AI’s benefits with patient rights. Some institutions are adopting “privacy-by-design” approaches, such as training AI models on synthetic data or running algorithms on-site rather than in the cloud. New regulations may also emerge: California’s Consumer Privacy Act (CCPA) and similar state laws are beginning to address health data beyond traditional medical records.
For now, the burden often falls on patients to ask questions. The technology isn’t going away, and it can genuinely improve diagnostic accuracy. But as with any tool that handles sensitive data, the default should not be blind trust.
Sources
- Radiological Society of North America, “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” May 2026.
- Lin, Y. et al., “Patient Awareness and Attitudes Toward Use of Medical Data for AI Training,” Journal of the American College of Radiology, 2023.
- U.S. Department of Health and Human Services, “Your Rights Under HIPAA,” hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers.
- California Consumer Privacy Act (CCPA), effective 2020, with amendments for health data.