Is Your Medical Scan Exposed? The Hidden Privacy Risks of AI in Radiology

Introduction

Artificial intelligence is now routinely used to analyze X-rays, CT scans, and MRIs. Hospitals and imaging centers increasingly rely on AI tools to detect tumors, flag fractures, or prioritize urgent cases. But as a recent report from the Radiological Society of North America (RSNA) makes clear, the same technology that improves diagnostic speed also opens up privacy risks that many patients don’t yet know about. If you’ve ever had a medical scan, here’s what you should understand—and what you can do about it.

What happened

In May 2026, the RSNA published a detailed report highlighting how AI in medical imaging introduces “a Pandora’s box of privacy-related risks.” The report draws attention to several troubling scenarios. Medical images that are de-identified—meaning stripped of names and other direct identifiers—can often be re-identified by matching them against public databases or other health records. AI models trained on large image datasets may inadvertently encode personal information, and those models can be shared or even leaked. Furthermore, many AI vendors are not covered entities under HIPAA, so the legal protections that apply to your hospital may not extend to the company analyzing your scan.

The RSNA report builds on earlier work showing that large language models in radiology present cybersecurity threats, and that the growing use of AI tools outpaces the regulatory framework designed to protect patient data.

Why it matters

For most patients, privacy concerns around medical scans have been abstract. You trust your doctor or imaging center to secure your records. But AI changes the equation. When your lung CT is processed by a third-party AI tool, that image—and the highly sensitive health information it contains—may be stored, used for further training, or even sold in ways you never consented to.

The harms aren’t theoretical. Someone with access to your scan data could infer your genetic predispositions, past surgeries, or chronic conditions. That information could lead to insurance discrimination, employment bias, or identity theft. Because medical images contain unique biometric features of your body (bone structure, vein patterns, organ shapes), they are effectively a permanent identifier—not something you can change like a password.

Even if your images are anonymized today, advances in AI re-identification techniques mean that anonymity may not last. The RSNA report notes that combining a de-identified scan with other data sources—like wearable device data or public ancestry databases—can often reveal your identity.

What readers can do

You have more agency than you might think. Here are practical steps you can take:

Ask your provider how AI is used. Before a scan, ask whether an AI tool will be part of the analysis. If so, request a clear explanation of what data the AI vendor receives, where it is stored, how long it is kept, and whether it can be deleted upon request.

Read consent forms carefully. Many imaging centers include broad data-sharing clauses in their standard consent forms. Look for language about “training algorithms” or “research and development.” You can ask to opt out of data sharing for AI training while still receiving the AI-assisted analysis for your care.

Request data deletion after your treatment is complete. Health care providers are not required to keep your images indefinitely once they are no longer needed for clinical care. You can ask that your scans be deleted from any nonclinical systems, including AI vendor platforms.

Choose providers that publish privacy policies. Some hospital systems and imaging chains now offer transparency reports about their AI data practices. Call ahead and ask whether they have a written policy on AI data governance. If they don’t, that’s a red flag.

Consider legal limitations. HIPAA protects your information held by health care providers, but it does not fully cover AI vendors that are not traditional health care entities. Your medical record may be handled under a business associate agreement, but those agreements vary widely in scope. Inquire specifically about third-party AI companies and whether they sign HIPAA business associate agreements.

Sources

  • Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” May 2026.
  • RSNA Special Report: “LLM Cybersecurity Threats in Radiology.” May 2025.
  • Health Insurance Portability and Accountability Act (HIPAA) – U.S. Department of Health and Human Services.

Note: The RSNA report from May 2026 is the primary source for the specific risks discussed here. HIPAA’s limitations regarding AI vendors are well documented, but the extent of re-identification risk depends on the specific data and techniques used. Not every AI imaging tool carries the same level of risk, and some vendors follow strong privacy practices. The key is to ask questions before you hand over your data.