Is Your Medical Image Data Safe? Privacy Risks of AI in Radiology

If you’ve ever had an X-ray, MRI, or CT scan, those images contain far more than the information your doctor needs to make a diagnosis. They are now also raw material for artificial intelligence systems that are being deployed in radiology departments worldwide. And according to a recent report from the Radiological Society of North America (RSNA), this rapid adoption of AI is opening up risks to patient privacy that many people are not aware of.

What Happened

In May 2026, the RSNA published a report warning that the use of AI in medical imaging is creating a “Pandora’s box” of privacy-related vulnerabilities. The report, authored by a group of radiologists, data scientists, and privacy experts, outlines how AI tools can extract sensitive information from medical scans in ways that were not possible before. While the full text of the report is behind a paywall, the RSNA’s public summary highlights several concerns: AI models can re-identify patients from supposedly anonymized scans, health data can be used for secondary purposes without adequate consent, and the sheer volume of imaging data being collected makes breaches more consequential.

The RSNA is not alone in raising these alarms. Similar warnings have come from researchers studying AI in genomics and electronic health records. But medical imaging presents a unique challenge because images contain both visible patient identifiers (like facial features in a head CT) and hidden metadata that can be linked to external databases.

Why It Matters

Most patients assume their medical images are de-identified when used for research or AI training. But de-identification is not irreversible. Studies have shown that facial recognition algorithms can match a 3D reconstruction from a CT scan to a person’s public photo. Even if the face is cropped, other anatomical features can be unique enough to serve as a biometric fingerprint. Once an image is re-identified, a person’s entire medical history, insurance status, and even genetic predispositions could be exposed.

Then there’s the issue of secondary use. When you consent to an imaging procedure, you are typically agreeing to its use for your diagnosis and treatment. But that consent rarely covers the images being fed into an AI training set that may be sold to a third party or used in a commercial product. Many hospitals now partner with tech companies to develop AI algorithms, and those partnerships often involve transferring large datasets off-site. Patients are seldom told about these arrangements in plain language.

Breaches are also a growing concern. Radiology departments store enormous amounts of data, and as AI tools become more integrated, the attack surface for hackers increases. In 2024, a major health system reported that an attacker accessed its imaging archive and stole scans of over 200,000 patients. Because medical images are rich in personal information, they fetch high prices on the dark web.

What You Can Do

You cannot stop AI from being used in imaging, but you can take steps to protect your data. Here are practical actions to consider:

  • Ask questions before the scan. When your doctor orders an imaging test, ask whether the facility uses AI for analysis and whether your images will be shared with any third parties for AI training. You have a right to know how your data will be used. Many facilities have consent forms that include a checkbox for research use. Read them carefully.

  • Request a data-sharing opt-out. Some hospitals allow you to opt out of having your images used for research or AI development. Even if it means your images will not contribute to medical advances, that is your choice. If the facility does not offer that option, ask to speak with the privacy officer.

  • Review the radiology provider’s privacy practices. Before your appointment, check the hospital’s or imaging center’s Notice of Privacy Practices, which should describe how they handle protected health information. Look for language about “de-identified data” and “research” to see if they have clear limits.

  • Consider asking for facial anonymization. For head and neck scans, some facilities now offer the option to apply a software mask that obscures facial features before the image leaves the department. This is not yet standard, but it is becoming more common.

  • After the scan, request a copy of your images. Under HIPAA, you have a right to access your medical records, including images. Having your own copy helps you track where your data might end up. It also gives you leverage if you later need to ask for corrections or deletions.

  • Stay informed about data breaches. If you learn that a facility where you had an imaging procedure experienced a breach, you may be eligible for credit monitoring or other remedies. Sign up for breach notifications when offered.

Future Outlook

The RSNA report calls for stronger data governance, clearer consent processes, and technical safeguards like differential privacy and federated learning, which allow AI models to train on data without moving it off-site. But these solutions are not yet widespread. For now, patients are in an awkward position: they benefit from AI’s diagnostic improvements, but they also shoulder the privacy risks.

Until regulations catch up, being an informed consumer is the best defense. The next time your doctor says, “Let’s get an image,” it is reasonable to ask: “And who else will see it?”

Sources

  • Radiological Society of North America (RSNA) report on privacy risks of AI in medical imaging, published May 2026. Summary available via RSNA news feed.
  • Related studies on re-identification from medical images published in Radiology Advances and Nature Scientific Data.
  • HIPAA Privacy Rule, 45 CFR § 164.524 (access to medical records).