How Medical Imaging AI Could Expose Your Private Health Data—and What You Can Do About It

How Medical Imaging AI Could Expose Your Private Health Data—and What You Can Do About It

Artificial intelligence is reshaping medical imaging. Algorithms now spot lung nodules, measure bone density, and classify tumors faster than many radiologists. But the same technology that analyses your scans can also pull out deeply personal details you never consented to share. This isn’t science fiction—recent reports from the Radiological Society of North America (RSNA) show that AI tools can reconstruct body composition data from routine chest X‑rays, and that security gaps around large language models (LLMs) in radiology are only beginning to be understood.

Understanding these risks helps you take practical steps to protect your medical images—without skipping necessary care.

What happened

In May 2026, RSNA published research on an AI tool that extracts body composition data from ordinary chest X‑rays. The same images used to screen for pneumonia or lung cancer can now reveal muscle mass, fat distribution, and other indicators of overall health. While this could improve diagnosis, it also means that once an image leaves your doctor’s office, third‑party algorithms can mine it for far more than the original clinical question.

A year earlier, in May 2025, RSNA released a special report highlighting LLM cybersecurity threats in radiology. LLMs (the kind of AI behind ChatGPT) are being tested to summarize radiology reports and assist with interpretation. The report noted that these models can inadvertently memorize patient details from training data and, if not properly isolated, may leak information through responses or be vulnerable to targeted extraction attacks.

Together these developments confirm a point the RSNA has been raising explicitly: medical imaging AI opens a Pandora’s box of privacy‑related risks.

Why it matters

Medical images are not anonymous. Even after faces and identifiers are stripped, the images themselves contain enough unique anatomical features to re‑identify individuals with high accuracy. AI trained on millions of scans can learn to link a specific X‑ray to a person’s age, sex, body metrics, and even genetic predispositions that appear in bone structure or soft tissue.

This matters because the data often flows beyond your health system. Hospitals may share de‑identified images with researchers or AI developers. In theory, “de‑identified” means no personal information remains, but the RSNA and others have shown that re‑identification is possible. Once an image leaves your provider’s control, you lose say over what happens next. Insurance companies, employers, or marketers could theoretically use extracted body composition data or disease probabilities in ways you never authorized.

The LLM threat is subtler. If your radiology report is analyzed by an AI that later learns from public interactions, details from your case could surface unexpectedly. Even heavily filtered models can sometimes regurgitate training examples—that’s the nature of how they store information.

What you can do

You don’t need to refuse imaging to protect your privacy. These steps are reasonable and supported by current regulations.

Ask your provider about AI use. Before a scan, ask: “Will an AI tool analyze my image? If so, which company provides it? Is my data sent outside this hospital?” Many radiology departments now use FDA‑cleared AI, but they should be able to tell you whether your images stay on‑site or go to a third‑party cloud.

Request an opt‑out for research or development. Your consent form may include a checkbox for sharing de‑identified data. If you are not comfortable, uncheck it. In the U.S., HIPAA permits using de‑identified images without consent, but many institutions offer the option to refuse. Ask your provider for their specific policy.

Use encrypted communication channels. When you receive results or discuss imaging, use the patient portal rather than unencrypted email. Portals are required to meet security standards that regular email often lacks.

Follow up on data access. After a scan, you can request an accounting of disclosures—a list of who viewed your images and for what purpose. HIPAA gives you this right (though it may take time to receive). If you see unexpected entities, file a complaint with your provider’s privacy officer.

Stay informed about your state laws. Some states, like California and Colorado, have stricter privacy laws that cover health data beyond HIPAA. These may give you additional rights to delete data or to know about all downstream uses.

Sources

• Radiological Society of North America (2026). AI Tool Extracts Body Composition Data from Routine Chest X‑Rays. RSNA News.
• Radiological Society of North America (2025). Special Report Highlights LLM Cybersecurity Threats in Radiology. RSNA.
• Radiological Society of North America (2026). Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks. RSNA News.

The primary RSNA article referenced above was accessed via Google News on May 22, 2026. Direct links to the RSNA site may require a subscription for full text.