How AI in Medical Imaging Could Expose Your Private Health Data (And What to Know)

Medical imaging has quietly become one of the most promising fields for artificial intelligence. Algorithms can now help radiologists spot tumors, measure organ sizes, and flag abnormalities faster than ever. But a recent report from the Radiological Society of North America (RSNA) warns that these same tools also introduce serious privacy risks—some of which patients and providers are only beginning to understand.

What happened

In May 2026, RSNA published a report stating that AI in medical imaging “opens a Pandora’s box of privacy-related risks.” The report follows a 2025 special issue on large language model (LLM) cybersecurity threats in radiology, and a 2026 study demonstrating that deepfake X‑rays can fool both human radiologists and AI detection systems. Together, these findings paint a picture of an industry racing to adopt AI without fully securing the data it relies on.

Why it matters

Your medical images are more than just pictures. They contain metadata—patient names, dates, hospital IDs, sometimes even geolocation—that can be linked back to you. When AI systems are trained or run on this data, that information may be stored on cloud servers, shared with third‑party vendors, or exposed through vulnerabilities in software.

The risks are not theoretical. In the RSNA deepfake study, researchers created synthetic X‑rays that appeared indistinguishable from real ones. These fakes could be used to manipulate insurance claims, fabricate injury evidence, or even alter a patient’s medical record. Separately, the LLM cybersecurity report highlighted how chatbots integrated into radiology workflows could inadvertently leak patient information if not carefully configured—for example, by storing conversations in insecure logs or training on that data.

Beyond deliberate attacks, there are also everyday risks: a hospital’s AI vendor might anonymise images poorly, allowing re‑identification; a data breach at a cloud provider could expose years of imaging studies; or an AI model trained on your scan might later be shared with a research institution without your explicit consent.

What readers can do

You can’t eliminate all risk, but you can take steps to reduce it. Here are practical measures for patients and healthcare consumers:

  • Ask your provider about data handling. Before an imaging exam, request information on where your images will be stored, whether an AI tool will be used, and how the data is protected. Some hospitals publish privacy notices; others will provide answers if you call the radiology department.

  • Inquire about anonymisation. Ask whether your images will be stripped of personal identifiers before being used for AI training or quality improvement. Note that “anonymization” is not absolute—re‑identification remains possible—but it reduces the chance of a casual leak.

  • Check for encryption and access controls. Your provider should use end‑to‑end encryption for image transmission and strict role‑based access. These are standard in most accredited facilities, but it’s worth confirming.

  • Review consent forms carefully. If you are asked to sign a consent for research or AI development, read what it says about data sharing and retention. If language is vague, ask for clarification or decline.

  • Consider where you receive care. Larger academic medical centers often have more rigorous cybersecurity programs than small clinics. This does not mean small clinics are unsafe, but you may want to ask about their policies directly.

  • Stay informed about breaches. Sign up for notifications from your provider or check the U.S. Department of Health and Human Services breach portal periodically. If you discover a breach involving your data, you have rights under HIPAA to request an explanation and corrective action.

Regulatory landscape

Federal and state regulators are paying attention. In the U.S., the Food and Drug Administration now requires that AI‑based medical devices include cybersecurity risk management plans. The Office for Civil Rights is also updating HIPAA rules to address emerging threats like deepfakes and LLM vulnerabilities. However, enforcement remains uneven, and many of these rules take years to fully implement. For now, individual vigilance is still the best line of defense.

Sources

  • Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks, RSNA, May 20, 2026.
  • Deepfake X‑Rays Fool Radiologists and AI, RSNA, March 24, 2026.
  • Special Report Highlights LLM Cybersecurity Threats in Radiology, RSNA, May 14, 2025.

These documents are publicly available on the RSNA website and provide detailed references for the claims above. The risks are real, but they are also manageable with informed awareness and cautious practices.