Is Your Medical Scan Data Safe? New AI Privacy Risks Explained

If you’ve had an X-ray, MRI, or CT scan in the past few years, there’s a good chance an AI tool helped a radiologist read it. These systems can spot subtle patterns faster than a human eye, and in many hospitals they’re now part of routine care. But a recent report from the Radiological Society of North America (RSNA) warns that the same technology creates new privacy vulnerabilities for patients. Here’s what the report says and what you can do about it.

What happened

The RSNA, a respected academic organization that publishes peer-reviewed research, issued a review of privacy risks tied to AI in medical imaging. The main findings:

  • Re-identification is possible. Even when images are stripped of obvious identifiers like your name or birth date, AI can sometimes reconstruct enough facial geometry or anatomical markers to link a scan back to you. This is not hypothetical; researchers have demonstrated it.
  • Third-party access is common. Many AI tools are developed by outside vendors and process images on cloud servers. Your medical images may be stored, analyzed, or even used for training on systems you never consented to—and that may not be fully covered by your hospital’s privacy policies.
  • Data sharing for AI training isn’t always transparent. Some institutions share de-identified scans with research networks, but the RSNA notes that “de-identification” in the age of AI is less reliable than it used to be. A model trained on one dataset might learn to recognize patterns that inadvertently expose patient details.

The report doesn’t claim that widespread breaches have already occurred, but it argues that the risks are real and poorly addressed by current regulations.

Why it matters for patients

Medical images are among the most sensitive pieces of personal data you own. They reveal things about your health, your body, and sometimes your identity. If that data leaks or is used without your knowledge, it can lead to discrimination, insurance problems, or just a profound loss of trust.

Most patients assume that once a scan is done, it stays inside the hospital’s system. But when an AI tool is involved, data often flows to external servers. You probably weren’t asked for permission, and you may not have been told which vendor handles your images. The RSNA report calls this a “Pandora’s box” because once the data leaves, you cannot control it anymore.

Under HIPAA (the Health Insurance Portability and Accountability Act), you have a right to know how your health information is used. However, HIPAA was written before AI became a routine part of radiology. It does not clearly address the use of AI, the sharing of images with third-party vendors, or the risk of re-identification. That gap leaves patients in a gray area.

What you can do now

You cannot fully control how a hospital uses AI, but you can take steps to protect your privacy:

  1. Ask before the scan. When your doctor orders an X-ray or MRI, ask: “Will AI be used to analyze my images? If so, which vendor provides that AI, and where will my data be processed?” A good radiology department should be able to answer these questions. If they cannot or seem evasive, consider it a red flag.

  2. Request a copy of the facility’s privacy policy. Many hospitals publish a “Notice of Privacy Practices” that outlines how they handle medical data. Look specifically for language about “de-identified data,” “third-party vendors,” and “research use.” If the policy is vague, ask for clarification.

  3. Opt out of research if you can. Some institutions let you decline the use of your medical data for research. This does not prevent clinical use of AI, but it may limit how your images are stored or shared afterward. Ask the admissions or radiology desk about opting out.

  4. Check if image anonymization is available. For some scans, you can request that identifying features (like your face in a head CT) be removed or obscured. Not all systems do this automatically, but it is technically possible. Radiology departments are required to accommodate reasonable requests under HIPAA.

  5. Stay informed. The RSNA report is part of a growing conversation. Follow reliable sources like the Electronic Frontier Foundation (EFF) or the American College of Radiology for updates on regulations.

The bigger picture

The RSNA’s warning should not cause panic, but it should prompt caution. AI in medical imaging is still relatively new, and the infrastructure around privacy is playing catch-up. Several states are considering legislation that would require stronger consent for AI use and stricter data security. In the meantime, patients who ask questions and keep records are better protected than those who assume everything is safe.

As a general rule: if a hospital cannot explain exactly how your medical images are handled, that is a problem. Push for transparency—it is your right.

Sources

  • Radiological Society of North America, “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks” (2026). Available at RSNA.org.
  • U.S. Department of Health and Human Services, HIPAA Privacy Rule. HHS.gov.