How Your Medical Scans Could Become a Privacy Risk with AI

How Your Medical Scans Could Become a Privacy Risk with AI

Medical imaging has quietly become one of the most data-rich parts of modern healthcare. X-rays, CT scans, and MRIs are now routinely fed into artificial intelligence systems that help radiologists detect tumors, fractures, and other abnormalities faster. That shift brings clear benefits, but it also introduces privacy risks that many patients and even some providers may not fully appreciate.

Recent research presented at the Radiological Society of North America (RSNA) reveals that AI in medical imaging is not just a diagnostic tool—it is also a vector for new kinds of data exposure, from re-identification of supposedly anonymous scans to the creation of convincing deepfake X-rays that could be used for fraud or blackmail.

What Happened

In March 2026, RSNA published a study demonstrating that deepfake X-rays—synthetic medical images generated by AI—can fool both board-certified radiologists and AI detection systems designed to spot forgeries. The implications are not merely technical. If a fabricated scan can pass as real, it could be inserted into a patient’s record to support a fraudulent insurance claim or to alter a diagnosis. The same technology used to enhance image quality can also be turned around to create false evidence.

Separately, researchers have repeatedly shown that medical images labeled as de-identified can often be re-identified by matching them with publicly available data or by using AI models trained to recognize unique anatomical features. In one well-known experiment, a team was able to re-identify individuals from CT scans by analyzing the shape of the vertebrae and matching it with a prior scan in a different database.

These findings are not hypothetical. Several hospital systems have already reported breaches in which imaging data was exfiltrated, and the AI tools used to process those images made the data more valuable—and more vulnerable—because structured annotations and metadata are often stored alongside the pixel data.

Why It Matters

For a patient, the risk is that the images taken for a routine mammogram or a quick chest x-ray could be used in ways you never consented to. Three specific concerns stand out:

• Data re-identification. Even when a scan is stripped of name and date of birth, the image itself contains enough unique detail to be linked back to you, especially if combined with other public records.
• Deepfake medical records. A convincing fake scan could be used to commit insurance fraud, to alter legal evidence in a personal injury case, or to manipulate your health history without your knowledge.
• AI training data leaks. Many hospitals share anonymized imaging data with AI developers. If that data is not properly de-identified, a leak could expose intimate details of your body—and your identity.

HIPAA and GDPR offer some protections, but those laws were written before AI models could reconstruct faces from a CT scan or generate a realistic chest X-ray from scratch. The gaps are real, and the incentive to exploit them is growing.

What Readers Can Do

For patients, the most practical steps are about awareness and asking the right questions.

• Ask your provider about data handling. Before an imaging exam, ask: “Will my images be used to train AI? If so, are they fully anonymized, and can I opt out?” Many facilities have a consent form—read it or ask for a plain-language summary.
• Check your rights under HIPAA. You have the right to request an accounting of disclosures, meaning you can ask who has accessed your images. You can also request that your data not be shared for research, though that may limit some care options.
• Monitor your statements. If you see an imaging charge for a test you never had, it could be a sign your data was used to generate a fake claim. Report it to your insurer and your provider’s privacy office.

For healthcare providers and practice managers:

• Encrypt all imaging data in transit and at rest. This is basic but often overlooked when integrating third-party AI tools.
• Limit metadata stored with images. Strip unnecessary patient identifiers from DICOM headers before sharing with AI vendors. Consider using a data minimization protocol.
• Audit your AI vendor’s security practices. Do not assume that a well-known AI platform automatically protects patient privacy. Request a SOC 2 report, ask about how training data is stored, and verify that they do not retain copies of your images after analysis.

Sources

• Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA News, May 2026.
• RSNA. “Deepfake X-Rays Fool Radiologists and AI.” RSNA Research, March 2026.
• U.S. Department of Health and Human Services. “HIPAA Privacy Rule and Sharing of Medical Images for AI Development.” HHS Guidance, 2025.
• European Data Protection Board. “Guidelines on the Processing of Health Data for AI Training.” EDPB, 2024.
• Schwartz, P. & Solove, D. “Re-Identification Risks in Medical Imaging.” Journal of Law and the Biosciences, vol. 12, no. 1, 2025.