Medical AI and Your Privacy: What to Know About Imaging Data Risks

AI is making its way into nearly every part of healthcare, and medical imaging is no exception. From X-rays to MRIs, algorithms are now used to help radiologists spot tumors, measure organ sizes, and flag abnormalities. These tools can improve accuracy and speed, but they also introduce new privacy risks that patients should be aware of.

Recent reports from the Radiological Society of North America (RSNA) highlight a growing concern: the same technology that helps diagnose disease can also be used to manipulate images, expose personal health data to third parties, and potentially undermine the trust we place in medical imaging.

What happened

In May 2026, RSNA published a report warning that AI-powered imaging tools are creating a “Pandora’s box” of privacy and security issues. The report outlines several problems:

  • Medical images are increasingly sent to cloud-based AI services for analysis. These transfers often involve patient identifiers that go beyond what’s strictly necessary.
  • Third-party AI vendors may retain copies of images or derived data for model training, sometimes without explicit patient consent.
  • A separate study, also presented by RSNA in March 2026, demonstrated that AI-generated “deepfake” X-rays could fool both human radiologists and AI detection systems. These fake images can be inserted into a patient’s record to manipulate a diagnosis or commit insurance fraud.

The deepfake study is particularly alarming. Researchers showed that by training a generative AI on a small set of real X-rays, they could produce synthetic images that appear almost identical to real scans. In tests, radiologists and automated screening tools failed to distinguish the fakes from genuine images about as often as they succeeded.

Why it matters

Most people assume their medical images are kept private and used only for their own care. But the shift toward AI-assisted radiology changes that assumption in three key ways.

First, data sharing is often invisible. When you get an MRI at a hospital that uses an AI service, the image may be transmitted to an external company’s server. That company might store it, analyze it for research, or even use it to improve its commercial product. HIPAA (the Health Insurance Portability and Accountability Act) requires covered entities like hospitals to protect your data, but it doesn’t always cover what happens once data reaches a vendor that acts as a “business associate.” In practice, enforcement is uneven, and many patients are never told their images are leaving the hospital’s network.

Second, the deepfake threat is real. While no large-scale attacks have been reported yet, researchers have shown it is technically possible to create convincing fake medical images. A bad actor could alter a scan to hide a condition, add a false finding, or plant evidence of a disease that doesn’t exist. Insurers, employers, or even law enforcement could be misled. And since AI detection is still unreliable, these fakes might go unnoticed.

Third, current laws have gaps. HIPAA was written long before AI became widespread. It doesn’t clearly address how long vendors can keep your images, whether you can request deletion, or what happens when anonymized data is combined with other sources to re-identify you. Some hospitals include clauses in consent forms that grant broad permission for data use—patients often sign without reading the fine print.

What readers can do

You don’t need to become a privacy expert to take some practical steps. Here are specific questions to ask before an imaging exam, and a few habits to adopt:

Ask your provider about AI use. Before getting a scan, ask: “Will any AI software be used to analyze my images? If so, which company provides it, and does my data leave this facility?” Some hospitals have started including this information in patient portals, but many still don’t volunteer it.

Request a clear data-use policy. Ask for a written explanation of how your images and health data are stored, shared, and retained. If the policy says data may be used for “research” or “product improvement,” ask what protections are in place. Some facilities let you opt out of secondary uses.

Check your radiology consent forms. Before signing, look for language about data sharing with third parties. If it’s vague or seems overly broad, ask for clarification. You have the right to refuse certain uses, though it may not affect your clinical care.

Monitor your own records. After an imaging exam, you are entitled to a copy of the images and the radiology report. Compare what you see with your medical history. If something seems off—for example, a finding that contradicts prior scans—ask for a second interpretation by a human radiologist not involved in the AI analysis.

Advocate for stronger standards. Organizations like RSNA and the American College of Radiology are discussing better guidelines. Patient voices matter. If you are part of a hospital patient advisory group, raise these concerns. If not, consider contacting your hospital’s privacy officer to express interest in transparency around AI use.

Sources

  • RSNA, “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” May 2026.
  • RSNA, “Deepfake X-Rays Fool Radiologists and AI,” March 2026.
  • HealthIT.gov, “HIPAA for Professionals” (overview of rules).

Note: The deepfake study referenced above was a proof-of-concept; actual patient harm has not been documented as of this writing. However, the technical capability is established, and the privacy risks from data sharing are current.