How Medical Imaging AI Could Leak Your Private Health Data

You go in for an MRI, a CT scan, or an X-ray. The image captures something inside your body. What you might not know is that image—and the data attached to it—may now be used to train artificial intelligence (AI) systems. AI holds promise for faster, more accurate diagnoses. But it also opens a new set of privacy risks that patients rarely hear about.

What happened: AI in medical imaging raises privacy flags

In May 2026, the Radiological Society of North America (RSNA) published a report titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” The article highlights how the rapid adoption of AI in radiology is creating vulnerabilities that traditional patient protections may not cover.

Medical imaging AI tools require enormous datasets to learn. These datasets often include thousands of scans from real patients. Even when personal identifiers like names and Social Security numbers are stripped off, researchers have repeatedly shown that images can be re-identified. Facial features, bone structure, or even metal implants can be matched back to a specific person. Once an image is shared with a third-party vendor—an AI developer, a cloud provider, or a research institution—the hospital system no longer has full control over that data.

The RSNA report is not alone in sounding the alarm. Other recent publications, including one from the same organization on the economic realities of AI adoption, acknowledge that the rush to deploy tools often outpaces the policies needed to protect patients.

Why it matters: Your medical images are not as anonymous as you think

The core issue is that de-identification is not absolute. HIPAA (the Health Insurance Portability and Accountability Act) in the US sets rules for how hospitals handle protected health information. But HIPAA’s “safe harbor” method—removing 18 specific identifiers—does not account for modern re-identification techniques using AI itself. A study cited in radiology circles showed that facial recognition software could match de-identified head CT scans to patient photos with alarming accuracy.

Beyond re-identification, there is the problem of unauthorized access. When hospitals contract with AI vendors, those vendors may store copies of images on their own servers. A data breach at a vendor can expose scan data that the patient never approved for sharing. In some cases, hospitals also contribute images to large research databases without explicit patient consent—often buried in the fine print of a consent form you signed before the procedure.

The result: your MRI could end up in a training set used by a company you have never heard of, with no clear way to remove it later.

What readers can do: Practical steps to protect your imaging data

You cannot avoid medical imaging entirely if your doctor orders it. But you can take steps to limit how your data is used.

Ask your provider about their AI data sharing policy. Before a scan, ask the radiology department or your doctor: “Does your hospital share images with any third-party AI vendors or research databases? Can I opt out?” Many institutions have an opt-out option, but they rarely advertise it.
Read the consent form carefully. Standard consent forms for imaging procedures sometimes include a clause allowing the hospital to use your de-identified data for research or quality improvement. If you see such language, ask if you can strike that section or sign a modified version. This might not always be possible, but it is worth raising.
Request details on data retention and deletion. Ask if the hospital can tell you where your imaging data is stored and for how long. If a vendor is involved, ask what happens to your scans after the AI model is trained. Some vendors retain images indefinitely.
Be cautious with patient portals. Some hospitals allow you to view your images through online portals. These portals can be a convenience, but they also increase the attack surface. Use strong, unique passwords and enable two-factor authentication if available.
Follow developments in AI and privacy regulations. HIPAA was written long before AI became common in clinics. Newer laws, like the GDPR in Europe, offer stronger protections, but enforcement is still evolving. Keep an eye on updates from organizations like the RSNA and the Electronic Privacy Information Center.

Sources

Radiological Society of North America (RSNA). “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” May 2026.
RSNA. “Radiologists Urge Economic Realism in AI Adoption.” May 2026.
RSNA. “Machine Learning in Radiation Oncology Clinical Trials and Clinical Practice.” January 2023.

These sources are publicly available through Google News and the RSNA website. Independent checks on re-identification risks can be found in peer-reviewed journals such as Radiology and JAMA Network Open. The privacy landscape is shifting fast; what is true today may change as both technology and regulation evolve. Stay informed, and do not be afraid to ask your healthcare provider the tough questions.