How Medical Imaging AI Could Expose Your Private Health Data—What You Need to Know
You go to the hospital for an X-ray or an MRI, and the image goes straight into a computer. A radiologist reads it, but these days an artificial intelligence tool may also analyze it to help spot a fracture or a tumor. That same AI system, however, may be storing more than just the scan.
A recent report from the Radiological Society of North America (RSNA) warns that medical imaging AI can inadvertently expose patient information. The report is part of a growing body of work from radiologists and cybersecurity experts who are concerned that the rapid adoption of AI in radiology has outpaced privacy safeguards. If you or a family member has ever had an imaging exam, it is worth understanding what the risks are—and what you can do.
What Happened
The RSNA special report, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” was published in May 2026. It describes how AI models used in radiology are typically trained on large datasets of medical images. Those images often come with metadata—patient names, dates of birth, medical record numbers, even the name of the referring physician. In some cases, the metadata is not fully stripped before the images are used for training or shared with third-party AI vendors.
The report also highlights that AI tools themselves can create new vulnerabilities. For example, a model might “memorize” parts of a training image and later reproduce them, potentially exposing a patient’s anatomy or a unique feature that could be linked back to them. RSNA’s authors cite previous incidents where researchers were able to re-identify patients from supposedly de-identified medical images using publicly available data.
Why It Matters
For most patients, the privacy risks of AI in medical imaging are not immediately obvious. You might assume that your medical images are covered by HIPAA, the main U.S. health privacy law. And they are—but only up to a point. HIPAA applies to covered entities like hospitals and insurers. When a hospital sends your scan to an AI company for analysis, and that company is a business associate, HIPAA rules still apply. However, the law was written before AI became a routine part of radiology, and enforcement has not always kept pace.
The bigger issue is that de-identification is not a perfect science. A 2019 study from the University of Melbourne showed that researchers could re-identify individuals from CT scans by matching facial features to driver’s license photos. As AI becomes more powerful, the ability to cross-reference medical images with other data sources will only improve. That means a scan you had for a broken arm could, years later, be linked back to you—even if your name was removed.
Also, AI systems are often updated and retrained on new data. If a hospital or vendor stores your images for future training, you may have little control over where they go. Some hospitals already sell de-identified imaging data to researchers, but the definition of “de-identified” varies.
What Readers Can Do
You cannot opt out of AI in medical imaging entirely—your doctor may not even tell you if AI is being used. But you can take steps to protect your data:
Ask your provider directly. Before a scan, ask: “Do you use AI to analyze medical images? Is my data shared with any third-party vendors? How is it de-identified, and how long is it stored?” Radiology departments that are transparent about their practices are more likely to have strong privacy policies.
Check your patient portal. Many hospital systems let you see details about who has accessed your medical records. You may also find privacy policies or consent forms that explain data use. Look for any language about sharing data for research or AI training.
Support stronger privacy laws. HIPAA was last significantly updated in 2013. Some states, like California and Washington, have passed more recent health data privacy laws that cover de-identified data. Contacting your elected officials to ask for updates to HIPAA that specifically address AI is a concrete way to push for change.
Be cautious about sharing images online. If you post a copy of your X-ray or MRI on social media (for example, to ask for medical advice), you are giving away a biometric identifier. Even stripped of your name, the image could be used to identify you later.
Sources
- Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA, May 2026.
- RSNA. “Special Report Highlights LLM Cybersecurity Threats in Radiology.” May 2025.
- University of Melbourne study on re-identification risks (cited in RSNA report).
- U.S. Department of Health and Human Services. HIPAA Privacy Rule.
- State privacy laws: California Consumer Privacy Act (CCPA); Washington My Health My Data Act.