How AI in Medical Imaging Could Expose Your Private Health Data

You might not think twice about the privacy of your CT scan or MRI. After all, medical images are stored securely in hospital systems, and you’ve signed HIPAA forms. But a new report from the Radiological Society of North America (RSNA) points to a growing risk that many patients aren’t aware of: the artificial intelligence tools used to analyze those scans can inadvertently leak personal information.

The problem isn’t just hypothetical. As hospitals and imaging centers rush to adopt AI for faster readings and better diagnoses, the privacy safeguards haven’t kept pace. Here’s what’s happening and how you can protect yourself.

What Happened

On May 20, 2026, the RSNA published a detailed analysis of privacy risks associated with AI in medical imaging. The core issue is that AI models are trained on vast datasets of scans. Even when those datasets are “de-identified” — meaning direct identifiers like names and Social Security numbers are stripped — the images themselves can still contain enough unique features to allow re-identification.

For example, facial features visible in head CTs or MRIs can be reconstructed. Bone structure, dental patterns, and even tattoos captured in scans can be matched to individuals using publicly available data or other medical records. The RSNA report notes that as AI models become more sophisticated, the risk of such re-identification grows. An attacker with access to the model’s outputs or training data could potentially infer a patient’s identity, medical conditions, or even genetic predispositions.

No specific data breach was cited in the report. Instead, the RSNA warns that the potential for harm is real and that current practices are insufficient.

Why It Matters

Medical imaging AI isn’t just a future technology — it’s already in use. According to industry estimates, hundreds of FDA-cleared AI algorithms are deployed in radiology departments across the United States. These tools analyze scans, flag abnormalities, and sometimes help prioritize urgent cases. But the data they use doesn’t disappear after the analysis is done. Images may be stored in cloud databases, shared with third-party vendors, or used to retrain models — often with patient consent that is vague or buried in fine print.

The consequences of a leak go beyond embarrassment. Health data is among the most sensitive personal information. It can be used for discrimination (by employers or insurers), targeted scams, or even blackmail. And because medical images are permanent records, a breach today could haunt a patient for decades.

The healthcare industry is not exactly known for strong cybersecurity. Hospitals have been frequent targets of ransomware attacks, many of which have exposed patient records. AI tools add a new vector: the models themselves can become attack surfaces.

What You Can Do

There is no perfect solution yet, but you can take steps to reduce your risk.

  • Ask your provider about AI use. Before any imaging exam, ask if AI will be used to assist in reading the results. Some facilities may have a policy of informing patients; if not, ask. You have a right to know how your data will be handled.

  • Inquire about data sharing with third parties. If an AI vendor is involved, ask whether your images will be sent to an external server for analysis or model training. Request that your data stay within the hospital network if possible.

  • Look for opt-out options. The RSNA report suggests that some institutions may allow you to opt out of having your images used for AI training. This option may not always be advertised. It’s worth asking your radiology department.

  • Review the consent forms you sign. Many imaging consent forms include language about data use for “quality improvement” or “research.” If you’re uncomfortable, ask for clarification or mark your objection in writing.

  • Stay informed about breaches. Sign up for breach notifications from your healthcare provider. If you learn that your imaging data was exposed, you may be entitled to credit monitoring or other remedies.

Regulatory Gaps

The RSNA report also points to weak oversight. While HIPAA covers identifiable health data, it doesn’t fully address the re-identification risks from images themselves. The FDA regulates AI as a medical device, but its focus is on safety and effectiveness, not data privacy. There is no federal law specifically governing the use of medical imaging for AI training.

Several privacy advocates have called for stronger rules. Some suggest that patients should be explicitly asked for consent before their scans are used to develop commercial AI tools. Others want stricter anonymization standards that go beyond stripping names and dates. The report notes that the current landscape is “a patchwork of voluntary guidelines and outdated regulations.”

Sources

  • Radiological Society of North America (RSNA). “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” Published May 20, 2026.
  • RSNA. “Imaging Meets the Forensic Files.” December 18, 2025. (Referenced in research for additional context on re-identification risks using forensic techniques.)

No specific data breach was cited. The discussion is based on the potential risks identified by the RSNA report.