Medical AI and Your Privacy: What Patients Need to Know About Imaging Risks
Artificial intelligence is now common in radiology. Hospitals use it to detect fractures, tumours, and early signs of disease faster than a human radiologist could alone. That sounds promising. But the same technology that improves diagnosis also creates new ways for your health data to be exposed, misused, or even faked.
If you’ve had an X-ray, MRI, or CT scan recently, your images were likely processed by AI at some point. What happens to those images after the radiologist reads them is less clear. Recent reports, including one from the Radiological Society of North America (RSNA), show that the privacy risks are real and growing.
What happened
In March 2026, RSNA published findings on deepfake X‑rays. Researchers showed that AI‑generated medical images—synthetic yet realistic scans—could fool both trained radiologists and the AI models used for diagnosis. The report wasn’t just an academic exercise. It demonstrated that someone with enough skill and access could create a fake X‑ray that looks authentic, potentially to commit insurance fraud, blackmail, or sabotage a diagnosis.
This is only one symptom of a larger problem. Medical images contain a lot of hidden information. Files like DICOM (Digital Imaging and Communications in Medicine) include metadata: patient name, date of birth, hospital, technician notes, sometimes even GPS coordinates of the imaging machine. Even when hospitals strip identifiers before sharing images for research, re‑identification is still possible. Researchers have shown they can match anonymised scans with public records using bone structure, body geometry, or the unique shape of a person’s lungs.
AI makes this worse. The same pattern‑finding algorithms that detect disease can also pick out unique features that tie an image back to you. And when AI models are trained on large datasets of real patient images, those images—or the patterns they contain—can sometimes be reconstructed or leaked.
Beyond re‑identification, the RSNA report highlights the threat of deepfake images being used to manipulate medical records. In a world where remote diagnosis and digital image sharing are standard, it’s not far‑fetched to imagine forged scans being used to claim injury, obtain prescription drugs, or damage someone’s reputation.
Why it matters
Your medical images are not just clinical records. They are biometric data as personal as your fingerprints. A compromised scan can’t be replaced the way you replace a stolen credit card. If someone steals an image, they can use it for identity theft, insurance scams, or even impersonation.
There is also the less visible risk of bias and discrimination. AI models trained on datasets that don’t represent you—or that contain errors—may misdiagnose conditions or treat your data differently based on demographics. HIPAA, the main US health privacy law, does not fully address these risks. It covers how data is shared and stored, but not how AI systems infer new information or how third‑party AI vendors handle data after it leaves the hospital.
What readers can do
You can’t fully control how a hospital uses AI, but you can take practical steps to reduce your exposure.
Ask about encryption. Before an imaging procedure, ask the radiology department whether your images are encrypted in transit and at rest. Many hospitals are moving to secure cloud‑based platforms, but not all are transparent about it.
Check your patient portal. Most providers offer online access to imaging reports and sometimes to the images themselves. Look for options to limit sharing or to require a PIN or two‑factor authentication to view them. If the portal shares images with third‑party AI tools (for second opinions, for example), find out if you can opt out.
Request de‑identification. If you are asked to consent to your images being used for research or AI training, ask whether the hospital strips all metadata and whether the de‑identification method has been validated. Not all de‑identification is equally effective—some can be reversed.
Be cautious with cloud‑based image sharing. Apps and services that let you share images with a specialist or a second doctor can be convenient, but they often store copies on servers you don’t control. Read the privacy policy. If the service says it may use your data for training or analytics, consider alternative ways to share.
Watch for signs of medical identity theft. Check your insurance statements for imaging procedures you never had. If a scan appears in your medical record that you don’t remember, report it to the provider and your insurer immediately.
What should change
Hospitals and AI vendors have work to do. They need to adopt stronger anonymisation techniques, audit their AI models for bias, and give patients clear, simple choices about data use. Regulators should update HIPAA and other privacy laws to cover AI‑specific risks, such as algorithmic inference and deepfake detection standards.
Most of these changes are slow. In the meantime, the best protection is awareness. Your medical images are more than just clinical data—they are a digital map of your body that deserves the same care as your credit score or your passport.
Sources
- Radiological Society of North America (RSNA), “Deepfake X‑Rays Fool Radiologists and AI,” March 2026.
- RSNA, “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks,” May 2026.
- General articles on medical data re‑identification, such as research by the Latanya Sweeney lab at Harvard, showing that 87% of the US population can be uniquely identified using only three data points (ZIP code, gender, date of birth).