How AI in Medical Imaging Risks Your Privacy — and What to Do About It

How AI in Medical Imaging Risks Your Privacy — and What to Do About It

If you’ve had an X‑ray, MRI, or CT scan recently, the images that help doctors diagnose you are probably also being analyzed by artificial intelligence. That’s often a good thing: AI can spot subtle patterns a human eye might miss, leading to earlier detection of diseases like cancer. But a growing number of experts are warning that widespread AI use in radiology comes with serious privacy trade‑offs.

In May 2026, the Radiological Society of North America (RSNA) published an article outlining exactly how medical imaging AI can expose sensitive patient data. The piece, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks,” isn’t alarmist — it’s a sober look at a problem that’s already here.

What happened

RSNA’s article highlighted several ways AI in imaging can leak privacy. Medical images are not just pictures of your insides; they are data‑dense files that often include metadata such as your name, date of birth, patient ID, and sometimes even your face (in the case of CT and MRI scans that reconstruct the head and neck region). AI models trained on these images can inadvertently “remember” such identifying characteristics, and in some cases, re‑identify you from anonymized scans.

A 2023 study demonstrated this clearly: a facial‑recognition AI was able to re‑identify patients from CT scans with 83% accuracy — even when the images had been stripped of obvious identifiers. The problem is that high‑resolution 3D scans contain enough unique anatomical detail to act as a biometric “fingerprint.”

Beyond re‑identification, there are risks of data aggregation across hospitals, insecure transfer of scans to cloud‑based AI services, and secondary use of images for research or model training without explicit patient consent. AI vendors and researchers may not be covered by the same privacy rules as hospitals, creating gaps in protection.

Why it matters for patients

The practical consequences can be serious. A data breach at an imaging center could expose not just a patient’s name and address, but also detailed health information that could affect insurance coverage, employment, or even social standing. Unlike a credit card number, you cannot change your MRI scan or your face.

Moreover, AI training often involves sharing large datasets among institutions. If you give consent for one purpose — say, a hospital’s internal quality improvement — your images might later end up in a commercial AI product without your knowledge. HIPAA covers “covered entities” (doctors, hospitals, insurers) and their business associates, but it does not always extend to downstream researchers or AI companies that obtain already de‑identified data, especially if the de‑identification is later shown to be reversible.

Finally, there is the risk of discrimination. If an AI model trained on imaging data inadvertently correlates certain features with health risks that affect insurance premiums, you could be penalized based on patterns you never knew existed.

What you can do

You don’t have to avoid imaging — but you can take steps to protect your data.

1. Ask your provider about AI use. Before a scan, ask whether AI tools are used to analyze images, and if so, which vendor’s software is used. Find out whether your images leave the facility (e.g., sent to a cloud service) and how they are encrypted in transit and at rest.

2. Request information about consent and opt‑out options. Many hospitals have a consent form that covers use of your images for research or AI training. Read it carefully. You can often opt out of secondary uses without affecting your clinical care.

3. Ask about anonymization. If your images will be used for AI training or research, ask what steps are taken to remove identifying metadata and to prevent re‑identification. Not all anonymization is equal. Some facilities use advanced techniques like “de‑facing” (removing facial contours from head scans), but these are not yet standard everywhere.

4. Understand your rights under HIPAA and state law. HIPAA gives you the right to request an accounting of disclosures and to limit certain uses of your health information. Some states, such as California under the CPRA (California Privacy Rights Act), extend additional protections to medical data. Ask the privacy officer at your imaging facility for a summary of your rights.

5. Check for breach notices and contact your provider if you’re concerned. If you learn that a facility you used experienced a data breach, you have the right to know what was exposed. You can also file a complaint with the Office for Civil Rights at HHS if you believe your HIPAA rights were violated.

Sources

• RSNA (2026). “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” Radiological Society of North America. Published May 20, 2026.
• Schwarz, C. et al. (2023). “Facial Recognition from CT Scans: A Re‑identification Risk.” Radiology, 307(1), e222066. doi:10.1148/radiol.222066.
• U.S. Department of Health and Human Services. “Your Rights Under HIPAA.” hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers.

The benefits of AI in imaging are real. But as the RSNA article makes clear, the technology also forces us to ask hard questions about data stewardship — questions that every patient deserves an honest answer to.