How AI in Medical Imaging Could Put Your Privacy at Risk — and What You Can Do

Artificial intelligence is increasingly used to analyze X-rays, MRIs, and CT scans. It can spot tumors, fractures, or subtle abnormalities faster than a human radiologist, and in many hospitals these tools are already part of routine care. But a new report from the Radiological Society of North America (RSNA) warns that the same technology creates novel privacy risks for patients — risks that existing laws like HIPAA were never designed to handle.

What Happened

The RSNA report, presented at their annual meeting, outlines several ways that AI applied to medical images can compromise patient privacy. Because modern AI models are often trained on vast datasets of scans, and because those scans frequently contain much more than just the medical finding, the potential for misuse has grown.

Key risks highlighted include:

  • Re-identification from de-identified images. AI can reconstruct a patient’s face from a head CT or MRI even after the scan has been stripped of names and IDs. Facial recognition algorithms can then link the image to public databases, revealing identity.
  • Unique anatomical markers. Even body parts that don’t include the face — such as a hand or spine — can act like a biometric fingerprint. AI can match these against other scans to re-identify a person.
  • Third-party AI vendors. Many hospitals send medical images to cloud-based AI services for analysis. These vendors may not be covered by HIPAA, and their data security practices vary widely. A breach at one vendor could expose millions of images.
  • Lack of meaningful consent. Patients often sign blanket consent forms that allow use of their data for “research” or “quality improvement.” They are rarely told that their scans might be shared with commercial AI companies or used to train models sold to other hospitals.

The report is based on a review of recent studies and case examples, and it calls on radiologists, hospitals, and policymakers to address these gaps before the risks become widespread.

Why It Matters for Patients

Medical images are different from most other health data. A doctor’s note or lab result can be de-identified by removing your name and date of birth. But an image of your skull or your spine is inherently tied to your body. Once an AI model learns to recognize you from that image, you can be tracked across institutions, over time, and even linked to public social media photos.

Current legal protections are incomplete. HIPAA covers hospitals, doctors, and insurers, but it does not directly regulate AI developers that process images on their own servers. Some of these companies are startups with limited security budgets. Others are large tech firms with a history of using data for purposes beyond what patients agreed to.

There have already been incidents. In 2024, a radiology cloud service suffered a breach that exposed scans from dozens of hospitals. In another case, a hospital allowed an AI company to use patient scans for training without explicit permission, and the resulting model was later sold to a third party. The RSNA report notes that these examples are likely just the beginning.

What You Can Do

You don’t have to refuse an MRI to protect your privacy. Here are practical steps:

  1. Ask your provider about AI use. Before a scan, ask: “Will my images be analyzed by an AI system? Which company’s software is used? Is my data shared outside this hospital?” You have a right to know.
  2. Request an opt-out if available. Some institutions let you decline AI analysis of your images. It may mean a longer wait if the AI is used for efficiency, but your scan will still be read by a radiologist.
  3. Review your consent forms. When you sign a general consent for treatment or research, look for language about data sharing, cloud processing, or “secondary use.” If it’s vague, ask for specifics.
  4. Use patient portals carefully. Many hospitals post your images online via a portal. That’s convenient, but it also means the images are stored on a server somewhere. Download what you need and don’t leave them there indefinitely.
  5. Support stronger privacy laws. HIPAA is overdue for an update to cover AI vendors. Federal legislation like the Health Data, Privacy, and Security Act (proposed but not passed) would close some of these loopholes. Let your representatives know this matters.

Sources

This article is based primarily on the RSNA report “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” presented in May 2026, and supporting literature on re-identification and HIPAA coverage gaps that the RSNA report references. No single study can predict every future risk, but the trends are consistent: as AI becomes more powerful, the privacy boundaries protecting medical images will need to be redesigned from the ground up.