How AI in Medical Imaging Could Put Your Privacy at Risk – and What You Can Do

Artificial intelligence is transforming how radiologists read X-rays, CT scans, and MRIs. Algorithms can spot tumors, fractures, and other abnormalities faster than the human eye, and hospitals are adopting these tools at a rapid pace. But this progress comes with a less discussed downside: new privacy risks for patients.

Recent research presented at the Radiological Society of North America (RSNA) has highlighted specific threats that were barely on the radar a few years ago. For anyone who has had or will have a medical scan, it’s worth understanding what’s changed and what you can do about it.

What happened: New threats uncovered at RSNA

In 2025 and 2026, several RSNA reports documented privacy and security vulnerabilities tied directly to AI in medical imaging.

  • Deepfake X-rays and scans. Researchers demonstrated that AI-generated fake X-rays can fool both human radiologists and AI diagnostic tools. A manipulated scan could be used to alter a diagnosis, create false evidence for insurance claims, or even blackmail a patient. The technology to generate convincing fake medical images is now cheap and accessible.

  • Large language model (LLM) cybersecurity threats. As hospitals begin using LLMs (the same technology behind chatbots) to assist with radiology reports, researchers found that these models can be prompted to leak sensitive patient information. In some tests, an attacker could extract details such as names, dates, and clinical findings simply by asking the right questions.

  • Model inversion attacks. An attacker with access to a trained AI model can sometimes reconstruct the original patient images used to train it. This means that even anonymized datasets can be reverse‑engineered to reveal identifiable faces, anatomy, and other personal details.

  • Data breaches of imaging datasets. Large imaging repositories used for AI training are lucrative targets. Multiple incidents have already occurred where scans stored in cloud databases were accessed without authorization.

Why it matters for patients

Most people assume that once a scan is taken, the image is safely stored and only used for their care. That assumption is fragile in the age of AI.

Current laws like HIPAA (in the US) and GDPR (in Europe) were written before these AI‑specific risks existed. While they require patient consent for certain data uses, they have gaps:

  • HIPAA covers identifiable health information, but once data is de‑identified (stripped of obvious markers like name and social security number), it can be used for AI training without further patient permission. Model inversion attacks can potentially re‑identify that data.
  • Many hospital consent forms include broad language about using data for “research and quality improvement,” which may now cover AI training. Patients are rarely told explicitly that their scans could be fed into third‑party algorithms.
  • When AI systems are provided by external vendors, it’s not always clear how those companies handle patient data. Some have suffered breaches.

The result: your medical images could be used in ways you didn’t expect, and those uses may carry real privacy risk.

What patients can do

You are not powerless. Here are practical steps you can take to protect your medical imaging data.

1. Ask your provider about data usage policies. Before a scan, ask the radiology department or your doctor: “Will my images be used to train AI? If so, are they de‑identified? Do I have a choice?” Many hospitals are still forming their policies, and patient pushback can prompt clearer answers.

2. Look for opt‑out options. Some facilities offer a form or checkbox that allows you to restrict use of your data to your own care only. You may have to request it explicitly. Under GDPR, you have a broader right to object to certain uses; check your local laws.

3. Insist on secure image sharing. If you need to share scans with another doctor or store them personally, ask how the facility encrypts and transmits images. Avoid using email or unsecured file‑sharing services.

4. Understand what tech your hospital uses. Look for hospitals that are transparent about their AI vendors and data governance. Some institutions have published “algorithmic accountability” policies that explain how AI tools are validated and how patient data is protected.

5. Support privacy‑preserving AI approaches. Federated learning is a technique where AI models are trained across multiple hospitals without moving the raw data off‑site. This reduces the risk of data breaches and allows models to learn without centralizing sensitive images. Ask if your hospital uses or is considering such methods.

What to expect going forward

Regulation is slowly catching up. The FDA has begun to require that AI medical devices be tested for cybersecurity vulnerabilities. Proposed updates to HIPAA may eventually address model inversion and re‑identification risks. But for now, patients have to stay informed and ask questions.

The promise of AI in radiology is real — earlier detection, fewer missed diagnoses, faster turnaround. But the privacy risks are also real, and they won’t be solved by technology alone. Being an engaged patient is one of the best protections you have.

Sources:

  • Radiological Society of North America (RSNA) reports on deepfake X‑rays and LLM cybersecurity threats (2025–2026).
  • HIPAA Privacy Rule and its limitations regarding de‑identified data and AI training.
  • Research on model inversion attacks in medical imaging (e.g., prior conference papers cited in RSNA presentations).
  • General cybersecurity guidelines from HHS and the FDA for medical devices.