Is Your Medical Scan Putting Your Privacy at Risk? What to Know About AI in Imaging
Artificial intelligence is transforming how radiologists read X‑rays, CT scans, and MRIs. It can speed up diagnoses, catch subtle abnormalities, and even predict disease risk. But the same technology that makes imaging more powerful also creates new ways for your personal health data to be exposed.
Recent research presented at the Radiological Society of North America (RSNA) has raised concerns that AI in medical imaging may inadvertently compromise patient privacy in ways that patients—and even many healthcare providers—do not fully realize.
What Happened
Several studies published or presented at RSNA in the past two years illustrate the scope of the problem.
Facial reconstruction from scans. One RSNA study demonstrated that AI can reconstruct identifiable faces from CT and MRI scans. Even when images are cropped to exclude the face, deep learning models can often re‑create a recognizable portrait from the remaining skull geometry. This means a scan intended to look at a knee or a chest could, if processed through certain AI tools, yield a face that could be matched to a person.
Data leaks through cloud processing. Many AI‑powered imaging tools rely on cloud servers to run their models. When your scan is sent to a third‑party service for analysis, it travels outside your hospital’s secure network. Even if the data is de‑identified in transit, researchers have shown that “de‑identified” medical images can sometimes be re‑identified by cross‑referencing them with public datasets or by using AI models trained on similar scans.
Metadata and hidden information. Medical images contain embedded metadata—patient name, date of birth, institution, and sometimes even referring physician notes. Some AI tools strip this metadata automatically, but not all do. A 2024 special RSNA report highlighted LLM‑related cybersecurity threats in radiology, noting that unsecured metadata is a common vector for data breaches.
Why It Matters
Medical imaging data is some of the most sensitive personal information a person can have. It reveals not just anatomy but also underlying health conditions, pregnancy status, and even genetic markers. If this data is exposed, it could lead to:
- Discrimination by insurers or employers based on health indicators visible in scans.
- Identity theft using reconstructed facial images or linked metadata.
- Loss of control over who sees your private health information, especially if scans are processed by AI companies whose data‑handling practices are not transparent.
The Health Insurance Portability and Accountability Act (HIPAA) in the U.S. protects medical records, but it was written before cloud‑based AI tools became common. There is ambiguity about whether a third‑party AI processor qualifies as a “business associate” under HIPAA, and whether patient consent is required when AI is used solely for diagnostic assistance rather than for research.
In Europe, the GDPR imposes stricter rules, but enforcement across borders remains uneven. As AI in radiology becomes standard, the regulatory gap is likely to widen.
What Readers Can Do
You don’t need to become a privacy expert to protect yourself. Here are concrete steps you can take when undergoing any medical imaging procedure.
Ask your provider if AI will be used. Before an X‑ray, CT, or MRI, ask: “Will an AI tool be used to help analyze my images? If so, who developed it, and how is my data handled?” Many radiologists are open about this if asked.
Request an opt‑out if you’re uncomfortable. Some facilities allow you to decline AI‑assisted analysis for routine studies. The trade‑off may be a longer wait for results or a second opinion from a human radiologist. That is a personal decision, but you should know the option exists.
Demand transparency about data storage. Ask whether your images will be stored on a cloud server outside the hospital system, and whether the AI vendor has a data‑sharing or data‑selling policy. Most reputable vendors will provide a written privacy notice.
Know your rights under HIPAA or local law. You have the right to request an accounting of disclosures—a list of who has seen your medical records and for what purpose. This includes AI vendors, if they are considered business associates. If you suspect a breach, you can file a complaint with the Office for Civil Rights (U.S.) or your national data protection authority.
Consider using a patient portal to track your records. Many health systems now give you online access to your imaging reports and sometimes the images themselves. Monitoring this can help you spot unauthorized access.
Sources
- Radiological Society of North America (RSNA) – studies on facial reconstruction from CT/MRI scans and re‑identification risks. (Multiple presentations and reports, 2024–2026.)
- RSNA Special Report: “LLM Cybersecurity Threats in Radiology” – May 2025.
- U.S. Department of Health and Human Services – HIPAA guidance on business associates and cloud services.
Note: The exact prevalence of these risks is still being studied. Not every AI tool poses the same level of threat, and many vendors follow strong security practices. However, the trend is clear: as AI becomes embedded in everyday radiology, patient privacy warrants more attention—and more conversation between patients and their doctors.