Medical AI and Your Privacy: What You Need to Know About Your Scans, Data, and Rights

If you’ve ever had an X-ray, MRI, or CT scan, those images may now be doing more than helping your doctor diagnose a condition. They could also be used to train artificial intelligence systems — often without your explicit knowledge or consent. A session at the 2026 Radiological Society of North America (RSNA) conference brought this concern into sharp focus, with experts warning that medical imaging AI opens a “Pandora’s box” of privacy risks.

What happened

At RSNA 2026, researchers and privacy advocates presented evidence that medical images used to develop AI tools can be re-identified, even after efforts to strip them of personal information. The headline article, “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” summarizes findings that standard de-identification methods — removing names, dates, and ID numbers — are not enough to prevent patient re-identification. Unique anatomical features, scan metadata, and even the shape of a person’s vertebrae can act as digital fingerprints.

Beyond re-identification, the data pipeline itself is concerning. Hospitals and imaging centers often share large sets of scans with AI developers, sometimes through research agreements that patients never signed up for. In other cases, scans originally collected for clinical care are repurposed for machine learning without specific consent. The scale is enormous: millions of images are fed into algorithms each year.

Why it matters

The consequences extend beyond a theoretical privacy breach. If scans can be re-identified, that opens the door to:

  • Discrimination: Insurers or employers might gain access to health information embedded in imaging data — a prior injury, a chronic condition, or incidental findings.
  • Data breaches: Medical imaging databases are increasingly targeted. Once a scan is linked to a name, the full record becomes more valuable on black markets.
  • Loss of trust: Patients who feel their data is used without permission may avoid necessary imaging, undermining both care and research.

Current regulations offer incomplete protection. HIPAA in the United States covers health data but has loopholes for “de-identified” data — which, as the RSNA session showed, is not truly anonymous. GDPR in Europe gives patients more control, but enforcement across borders and data-sharing agreements remains inconsistent.

What readers can do

You don’t have to become a privacy expert to take reasonable steps. Here are practical actions:

  1. Ask your provider before imaging. When scheduling a scan, ask: “Will my images be used in any AI training or research? If so, can I opt out?” Some institutions have consent forms that let you choose. Even if they don’t, asking puts the question on record.

  2. Review the consent forms you sign. Many hospital consent forms include broad language about using your data for “quality improvement” or “research.” That can cover AI training. If the form is vague, ask for clarification or request to limit use to your direct care only.

  3. Check your health system’s privacy policy. Some larger systems publish their data-sharing practices online. Look for sections on “de-identified data,” “secondary use,” or “artificial intelligence.” If you don’t see clear disclosures, consider contacting the privacy office.

  4. Support stronger regulations. Individual opt-outs are limited. Long-term change requires policies that require meaningful consent for AI training, mandate stronger de-identification standards, and enforce penalties for re-identification. Advocacy groups and consumer privacy organizations often provide templates for contacting legislators.

  5. Be aware of genetic privacy too. If your imaging includes genetic or genomic data (for example, certain PET scans), the privacy risks multiply. Treat those scans as especially sensitive.

Sources

  • “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” Radiological Society of North America (RSNA), May 20, 2026. (News article summarizing conference presentation.)
  • HIPAA Privacy Rule, U.S. Department of Health and Human Services.
  • General Data Protection Regulation (GDPR), European Union.

Note: The details of re-identification techniques and specific institutional practices are still emerging. The severity of risk may vary by region and type of imaging. This article is not legal or medical advice.