Is Your Medical Scan Safe? The Privacy Risks of AI in Radiology

Artificial intelligence is rapidly becoming a standard tool in radiology. Algorithms now help radiologists detect tumors, fractures, and other abnormalities faster and sometimes more accurately than the human eye alone. For patients, this can mean earlier diagnosis and better outcomes. But the same technology that improves care also creates new privacy risks that many patients — and even some doctors — may not fully appreciate.

Recent findings presented at the Radiological Society of North America (RSNA) annual meeting highlight a troubling development: AI-generated deepfake X-rays that can fool both radiologists and other AI systems. This is just one facet of a larger privacy problem that involves how medical images are collected, stored, shared, and potentially misused.

What Happened

At RSNA 2026, researchers demonstrated that deepfake X-rays of real patients’ lungs could be manipulated well enough to trick experienced radiologists and commercial AI screening tools. The synthetic images looked authentic and contained subtly altered anatomical features, raising the possibility that someone could insert or remove evidence of disease in a patient’s medical record.

This is not abstract theory. Medical images are already routinely stored in Picture Archiving and Communication Systems (PACS). These digital repositories are often shared with third-party AI vendors for algorithm training, quality improvement, or cloud-based analysis. A 2023 survey estimated that over 75% of U.S. radiology practices now use some form of AI, and many transmit image data outside their own networks.

The same RSNA session also reported findings that current privacy regulations like HIPAA (Health Insurance Portability and Accountability Act) were not designed with AI-generated or AI-manipulated images in mind. HIPAA covers identifiable health information, but it does not explicitly address synthetic images that can be created from real patient data, nor does it place clear restrictions on how AI models themselves — which may have been trained on millions of patient scans — are shared or sold.

Why It Matters

For patients, the privacy risks fall into three connected categories.

First, data exposure. When your scan is sent to an AI vendor, that vendor may retain copies of your images on its servers. If that vendor suffers a breach — and medical data breaches are now among the most common and costly — your entire imaging history could be leaked. Unlike a credit card number, you cannot cancel your X-ray and get a new one.

Second, unauthorized use of images. Your de-identified scan could be used to train an AI model without your explicit consent. While “de-identification” is supposed to remove personal details, researchers have repeatedly shown that re-identification is possible, especially when scans include facial features or unique anatomical markers.

Third, image manipulation and fraud. Deepfake X-rays introduce a more sinister possibility. If someone gains access to your medical imaging files, they could alter them to fake an injury, fabricate a pre‑existing condition, or wrongly clear you of one. A manipulated scan could affect insurance claims, legal proceedings, or employment physicals. Even if the original image remains secure, the threat is that synthetic images derived from your real scan could be created and circulated without your knowledge.

Current HIPAA rules treat medical images as protected health information during storage and transmission, but they do not regulate the output of AI models trained on that data. This gap leaves patients with limited recourse if their images are used in ways they did not authorize.

What Readers Can Do

You do not need to refuse an MRI, but you can take several practical steps to protect your privacy.

  • Ask your provider about AI use. Before a scan, ask: “Will an AI program be used to analyze my images? If so, are my images sent outside this facility? With whom are they shared, and how are they stored?” In many cases, the front‑office staff may not know the answers. If the radiologist is available, ask them directly. You have a right to understand how your data is handled.

  • Check if you can opt out of AI analysis. Some facilities allow you to request that your images be interpreted only by a human radiologist. This may mean slower turnaround, but it keeps your images from being transmitted to a third‑party vendor. Not all hospitals offer this option, but it is worth asking.

  • Review your medical records. Under HIPAA, you are entitled to access your imaging results and sometimes the images themselves. Periodically checking your records can help you spot discrepancies. If you ever see a scan you do not recognize, flag it immediately.

  • Be cautious with mobile health apps. Many direct-to-consumer services let you upload your own images for AI analysis. These apps often have weak privacy policies. Read the fine print: if the app says it can “share aggregated data” or “use images for research,” assume your scan may leave your control.

  • Support stronger privacy rules. Currently, no federal law explicitly covers AI‑generated medical images. Contacting your elected representatives and asking for updated HIPAA rules that address AI training data and synthetic images can help close the gap.

Sources

  • Radiological Society of North America, “Deepfake X-Rays Fool Radiologists and AI,” presented at RSNA 2026.
  • RSNA 2025 Technical Exhibits: Largest Radiology AI Showcase — highlights extent of AI adoption.
  • Multiple news reports summarizing RSNA findings on privacy risks and regulatory gaps.
  • HIPAA Privacy Rule (45 CFR § 164) — as basis for current protections and their limits regarding AI.

The bottom line: AI in radiology offers genuine medical benefits, but patients should not assume their scans are fully private. A few informed questions before your next imaging study can make a significant difference in keeping your health data under your control.