Is Your Medical Image Being Used to Train AI? What to Know About Privacy Risks
If you’ve had an X-ray, MRI, or CT scan recently, there’s a good chance that image was run through some form of artificial intelligence. Hospitals increasingly use AI to help radiologists spot fractures, tumors, or other abnormalities more quickly. The technology can improve accuracy and speed, but it also raises a question many patients don’t think to ask: what happens to that image after it’s used for your care?
A recent article from the Radiological Society of North America (RSNA) lays out privacy risks that patients should be aware of. The piece describes how medical images can be shared with AI vendors, used to train algorithms, and potentially even re-identified—meaning your personal information could be recovered from data you thought was anonymous.
What Happened
The RSNA article, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” summarizes research and expert concerns about the way patient scans are being handled in the AI era. It points out several specific issues:
- Many hospitals and clinics share de-identified images with third-party AI developers. But de-identification is not foolproof. Researchers have shown that facial features rendered in CT or MRI scans can sometimes be matched to public photos, or that metadata embedded in image files can still contain patient identifiers.
- Patients are rarely given clear notice that their images will be used for AI training. Consent forms for imaging procedures often include broad language about data use for research or quality improvement, but the line between clinical care and algorithm development is blurry.
- Current privacy regulations, including HIPAA, were written before AI became commonplace. HIPAA covers protected health information, but if data is de-identified according to certain standards, it can be shared without patient authorization. The problem is that those standards may not be enough to prevent re-identification as AI techniques advance.
Why This Matters for You
This isn’t just an abstract policy debate. If your medical images end up in an AI training dataset, you could face real consequences, even if your name is stripped off initially.
Re-identification risk. When multiple data sources are combined—say, a CT scan of your skull along with demographic details like age and zip code—it becomes easier to pinpoint who you are. A 2019 study demonstrated that 99.98% of Americans could be re-identified using just 15 demographic attributes. Medical images add another layer of biometric data.
Data breaches. Healthcare data is a prime target for hackers. In 2023 alone, over 133 million healthcare records were exposed in the United States. If your imaging data is stored in a vendor’s cloud system rather than your hospital’s own servers, it may be subject to different security standards.
Loss of control. Once your image is shared with an AI company, you have little say in how it is used later. It could be sold to another firm, combined with other datasets, or used to develop algorithms you never consented to.
The RSNA article notes that many patients assume their medical data is protected by the same rules that cover their doctor’s notes and test results. But AI training often falls into a gray area where explicit consent is not required.
What You Can Do
You can’t completely avoid AI in medical imaging—it’s becoming standard in many radiology departments. But you can take steps to understand and limit exposure.
Ask your provider about their AI policy. Before an imaging exam, ask the scheduling office or technician a simple question: “Are you using AI to analyze my images, and is my data shared with any outside companies for training?” Some hospitals have clear descriptions in their patient privacy notices. Others may not have a standard answer, but asking signals that patients care.
Read consent forms carefully. When you sign a consent for a CT scan or MRI, look for language about “research,” “quality improvement,” or “data sharing.” If it is vague, ask for clarification. You may have the right to opt out of having your images used for AI training—although the practical ability to opt out varies by institution.
Monitor for breaches. Sign up for breach notifications from your healthcare provider. You can also check the HHS Office for Civil Rights breach portal to see if your hospital has reported an incident.
Consider state-level protections. Some states, like California and Washington, have stronger health privacy laws than HIPAA. If you live in such a state, you may have additional rights to know what data is collected and to request deletion.
The Bigger Picture
The RSNA article is a reminder that technology is moving faster than regulation. The same AI tools that help doctors catch cancers earlier can also erode patient privacy if not handled carefully.
For now, the best defense is awareness. Know that your medical images may be used for more than just your diagnosis. Ask questions. And treat your imaging data like any other sensitive personal information—because that’s exactly what it is.
Sources
- RSNA, “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks” (2026)
- Office for Civil Rights, HIPAA Breach Notification Rule data
- Studies on re-identification using demographic attributes (Rocher et al., Nature Communications, 2019)