Is Your Medical Image Feeding an AI? What Patients Need to Know About Privacy Risks
If you have ever had an X-ray, CT scan, or MRI, you probably assumed that image was seen only by your doctor and stored securely. But the Radiological Society of North America (RSNA) recently published a detailed warning: medical images are now being fed into artificial intelligence systems in ways that may expose far more personal information than patients realize.
AI tools are becoming common in radiology departments, helping doctors detect tumors, fractures, and other findings faster. That sounds like progress, and often it is. But the same data that makes AI effective—your scan, plus the metadata attached to it—also introduces privacy risks that many patients are unaware of.
What Happened
The RSNA article, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks,” highlights several privacy vulnerabilities that arise when AI is used on medical imaging. According to the article, AI models often require access to large sets of labeled images for training, validation, and ongoing improvement. These datasets frequently contain not only the pixel data from scans but also metadata such as patient name, date of birth, medical record number, facility name, and scanner details.
The concern is not just that this metadata could leak. Researchers have shown that even after removing identifiers, AI techniques can sometimes re‑identify individuals by reconstructing facial features from a head CT or matching scan patterns to other databases. The RSNA piece points out that current de‑identification methods are not always reliable when used with advanced AI.
Another issue: many hospitals share imaging data with third‑party AI vendors or research partners. Patients are rarely asked for explicit consent, and the legal protections under HIPAA may not fully apply once data is “de‑identified” in ways that AI can later undo.
Why It Matters
For the average patient, the risks are not abstract. Think about what a medical image can reveal. A CT of the chest shows your lung shape, heart size, and any nodules—but it may also capture your face, the curve of your spine, and even the unique pattern of your ribs. AI algorithms trained to recognize anatomical patterns can sometimes extract biometric identifiers from these images.
If an insurance company obtained such data, hypothetically, it might use it to estimate health risks and adjust premiums. If an employer gained access, discrimination could follow. Even without malicious intent, a data breach in a hospital AI system could expose thousands of patients’ scans in ways that are harder to remediate than a stolen credit card number—you cannot change your bone structure.
The RSNA article also notes that many patients assume their medical data is protected by HIPAA. While HIPAA does cover traditional medical records, its rules for AI training data are less clear. Once images are stripped of obvious identifiers and turned into a research dataset, HIPAA’s privacy protections may no longer apply, even if re‑identification remains possible.
What Readers Can Do
You do not have to refuse necessary imaging to protect your privacy. But you can take a few practical steps:
- Ask before the scan. Ask your provider: “Will my images be used to train AI? If so, can I opt out of data sharing?” Many hospitals have consent forms for research use. Make sure you read them and ask to opt out if you are not comfortable.
- Request de‑identification. Ask if the facility strips all metadata (name, date, facility) from images before they go to any AI system. This is standard practice at reputable institutions, but not universal.
- Check the facility’s privacy policy. Look for language about “de‑identified data,” “research databases,” or “third‑party analytics.” If you cannot find clear answers, contact the privacy office.
- Use patient portals wisely. Be aware that you may be waiving additional privacy rights when you sign electronic consent forms quickly.
- File a complaint if needed. If you suspect your images were used without your consent, you can file a complaint with the Office for Civil Rights (OCR) at the Department of Health and Human Services. HIPAA violations are taken seriously, even if the rules around AI are evolving.
Sources
- Radiological Society of North America. Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks. Published May 20, 2026. Accessed May 22, 2026. Link to RSNA article (note: link is from Google News RSS; original RSNA article may be found on their website).
This article is for informational purposes and does not constitute legal or medical advice. Privacy regulations vary by jurisdiction.