Is Your Medical X-Ray a Privacy Risk? What You Need to Know About AI in Imaging

Artificial intelligence is transforming medical imaging—helping radiologists detect tumors, fractures, and other conditions more quickly and accurately. But as hospitals and clinics adopt these tools, they also collect vast amounts of digital image data. This data isn’t just a clinical asset; it’s a growing privacy concern. Recent research and incidents suggest that medical imaging AI opens a Pandora’s box of privacy-related risks, from re-identification attacks to deepfake scans that could fool both doctors and algorithms. If you’ve ever had an X-ray, MRI, or CT scan, you should understand what’s at stake and how to protect yourself.

What happened

Over the past few years, radiologists and computer scientists have demonstrated that medical images contain far more identifiable information than many realize. A face isn’t needed to identify a person—bone structure, blood vessel patterns, and even the unique shape of a spine can serve as a biometric fingerprint. Researchers have shown that de-identified medical images can often be matched to named patients using these features.

In 2025, the Radiological Society of North America (RSNA) published reports highlighting these emerging privacy threats. One study described how deepfake X-rays—synthetic images created by AI—can be generated that look authentic to both human readers and automated systems. Such images could be used to manipulate medical records, commit insurance fraud, or harm a person’s reputation. Other experiments have shown that AI models trained on large imaging datasets can inadvertently leak information about patients, enabling inference attacks that reveal sensitive conditions not directly visible in the images.

The scope of the problem is large. As more providers link imaging data with electronic health records (EHRs) and feed it into commercial AI platforms, the surfaces for potential exposure multiply. Breaches at hospitals and imaging chains—such as the 2024 ransomware attack on a major U.S. radiology provider—have already exposed millions of medical images to unauthorized parties.

Why it matters

Medical images are not just pictures; they are highly personal data points. Unlike a credit card number, you can’t simply cancel and replace your skeletal structure. Once medical image data is leaked, it may be used for stalking, blackmail, or discrimination in employment or insurance.

Another risk is subtle but troubling: deepfake medical images could be inserted into a patient’s record to change a diagnosis or create false evidence. A 2023 study found that radiologists and AI systems could be tricked by carefully crafted synthetic scans, raising concerns about fraud and diagnostic errors.

Even when images are de-identified for research, re-identification remains possible. A 2022 paper showed that a person’s face can be reconstructed from head CT scans with enough accuracy to match against public databases. And because many AI training datasets are shared openly, any vulnerability in the de-identification process can lead to widespread privacy violations.

Regulations like the U.S. Health Insurance Portability and Accountability Act (HIPAA) set rules for protecting identifiable health information, but they were written before deepfake technology and AI-driven re-identification became practical. Gaps remain—especially around how images are shared with third-party AI vendors, how long data is retained, and whether patients are even told their images may be used for algorithm training.

What readers can do

You do not need to avoid necessary medical imaging, but you can take several steps to reduce your risk.

Ask your provider about data practices. Before your scan, ask the radiology department or your doctor: Will my images be stored locally or sent to an external AI vendor? Are they used for training or research? How long are they kept? Providers governed by HIPAA must give you a notice of privacy practices, but many patients never read it. Ask directly.

Learn your patient rights. Under HIPAA, you have the right to request an accounting of disclosures of your health information, including images. You can also request that your images not be used for research or AI training in some cases. Not all facilities honor opt-outs easily, but it is worth asking.

Consider opting out of research databases. Many hospitals contribute de-identified imaging data to large repositories for algorithm development. While these efforts can improve medicine, they also carry re-identification risk. If you are uncomfortable, ask to be excluded from any such database.

Monitor your medical records. After an imaging exam, request a copy of the report and images (often available through a patient portal). If something looks off—a finding you don’t recall, or an image that seems inconsistent—flag it with your doctor. Deepfake manipulation could show up as a discrepancy.

Stay informed about breaches. The U.S. Department of Health and Human Services maintains a public list of large health data breaches. If your provider has had an incident, you should be notified, but you can also check the list. In case of a breach involving your images, change any passwords and monitor for identity theft.

Sources

  • Radiological Society of North America (RSNA). “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA News, 2025.
  • Mirsky, Y., et al. “CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning.” USENIX Security Symposium, 2019.
  • Schwarz, C. G., et al. “Identification of Anonymous MRI Research Participants with Face-Recognition Software.” New England Journal of Medicine, 2019.
  • U.S. Department of Health and Human Services. “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” Accessed 2026.
  • European Society of Radiology. “Patient Data Privacy and AI in Imaging,” 2024.