Medical AI and Your Privacy: What You Need to Know About Imaging Data Risks
Artificial intelligence is changing how radiologists read X-rays, MRIs, and CT scans. Algorithms can flag tumors, measure organ sizes, and even predict disease progression faster than a human eye alone. But these same tools are creating new privacy risks for patients—some of which even experts are still trying to understand.
A recent article from the Radiological Society of North America (RSNA) warns that medical imaging AI has opened what it calls a “Pandora’s box” of privacy-related concerns. The article highlights issues ranging from data breaches to the emergence of deepfake X‑rays that can fool both radiologists and diagnostic AI systems.
What happened
In March 2026, RSNA published coverage of a study showing that AI-generated fake X‑rays—known as deepfakes—could be mistaken for real images by trained radiologists and by the AI tools designed to analyze them. This is not just a theoretical exercise: researchers demonstrated that it’s possible to insert or remove medical findings in an X‑ray, such as a lung nodule, without leaving obvious traces of manipulation.
At the same time, the RSNA technical exhibits in 2025 featured the largest radiology AI showcase to date, underscoring how quickly these tools are being adopted into clinical workflows. More AI means more data flowing through third-party cloud servers, vendor platforms, and research databases—each step a potential exposure point for patient images and associated metadata.
Other recent incidents reinforce the concern. Major health systems have reported breaches involving imaging archives, and researchers have repeatedly shown that de‑identified medical images can often be re‑identified by matching them against public facial recognition databases or other records.
Why it matters for patients
Medical images are among the most sensitive pieces of personal data a person can generate. An X‑ray of your chest contains not only your anatomy but also metadata like your date of birth, sex, and sometimes your name or medical record number. If that data leaks, it can lead to discrimination by insurers or employers, identity theft, or even harassment. The ability to forge a plausible medical image also opens the door to insurance fraud, falsified disability claims, or malicious tampering with someone’s health record.
Most patients are never told where their images go after the radiologist reads them. Many hospitals and imaging centers use cloud‑based AI services that may store, process, or even train models on that data—sometimes in ways patients haven’t explicitly consented to. Under U.S. law, HIPAA covers how covered entities handle protected health information, but it has limits once data is shared with certain research partners or de‑identified according to standards that critics argue are too weak.
What you can do as a patient
You don’t need to be a privacy expert to reduce your risk. Here are concrete steps you can take.
Ask before you scan. When your doctor orders an imaging test, ask the facility how your images will be stored, who will have access, and whether they are shared with any AI vendors or research projects. You have a right to this information under HIPAA’s notice of privacy practices.
Opt out of secondary uses. Many institutions allow you to restrict your data from being used for research or product development. While this may slow progress in AI development, the choice is yours. Tell the facility in writing if you do not want your images used beyond your immediate care.
Review your rights under HIPAA. You can request a copy of your images and records. You can also ask for an accounting of disclosures—a log of who has accessed your data. If you suspect a breach, you can file a complaint with the Office for Civil Rights.
Look for the right protections. When a facility uses an AI service, they should ensure the vendor uses encryption both in transit and at rest, limits data retention to what is necessary, and strips identifiable metadata before any model training. You can ask whether these practices are in place.
Be aware of deepfake risks. While you can’t prevent someone from forging an image, you can periodically review your medical records for any discrepancies. If an image in your file seems to show a condition you’ve never been diagnosed with—or if a known finding disappears—raise the issue with your provider.
Industry safeguards and limitations
Organizations like RSNA are working on standards for ethical AI use, including transparency guidelines and data minimization requirements. Some AI vendors now offer on‑premise processing so that images never leave the hospital’s network. Others use federated learning, where algorithms train on decentralized data and never see raw images directly.
But these safeguards are not universal. Regulation lags behind technology, and many smaller facilities lack the resources to enforce strict privacy controls. The industry is still in the early stages of figuring out how to balance innovation with patient protection.
Sources
- RSNA News: “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks” (May 2026)
- RSNA: “Deepfake X‑Rays Fool Radiologists and AI” (March 2026)
- RSNA: “RSNA 2025 Technical Exhibits Feature Largest Radiology AI Showcase” (September 2025)