Medical AI Could Put Your Health Data at Risk: What You Need to Know

New research shows deepfake X-rays can fool doctors — here’s what it means for your privacy.

Artificial intelligence is transforming medical imaging. Algorithms can now spot tumors, fractures, and early signs of disease faster than many radiologists. But a growing body of research suggests this progress comes with a serious downside: privacy risks that most patients don’t yet know about.

A study presented at the Radiological Society of North America (RSNA) in 2026 found that deepfake X-rays can fool both human radiologists and AI diagnostic tools. This opens what researchers called “a Pandora’s box of privacy-related risks” — one that touches everything from misdiagnosis to identity theft.

What Happened

Researchers generated synthetic chest X-rays using a type of AI known as a generative adversarial network (GAN). They then asked radiologists and AI diagnostic systems to tell real scans from fake ones. The results were concerning: both humans and machines were frequently deceived.

These deepfake images weren’t just convincing — they were also capable of inserting or removing medical abnormalities. That means someone could generate a scan showing a condition that doesn’t exist, or hide a real problem, potentially leading to wrong treatment or insurance fraud.

The same technology could be used to create convincing medical records for fraudulent claims. Since medical images often contain metadata like patient names, dates, and facility information, a forged scan could be tied to a real person without their knowledge.

Why It Matters for Patients

Medical imaging privacy risks go beyond deepfakes. Here’s why the issue is urgent:

  • Data richness. A chest X-ray doesn’t just show lungs. It captures body geometry, ribs, spine, and sometimes facial features. That’s biometric data that can be used to identify you.
  • Storage and sharing. Images are often stored in cloud-based picture archiving and communication systems (PACS). If these systems are breached, your private health data can be leaked, sold, or used for blackmail.
  • AI model training. Many hospitals share de-identified images to train algorithms. But “de-identification” isn’t always airtight — researchers have re-identified patients by matching images to public biometric databases.
  • Gaps in the law. HIPAA remains the main federal privacy law for health data, but it was written long before AI was commonplace. It does not explicitly address AI-generated deepfakes, synthetic data, or the sale of medical images to third-party AI developers. Some states are now proposing legislation to close this gap, but no uniform national standard yet exists.

The combination of easy-to-use AI tools and weak regulatory guardrails means your medical images could be misused in ways you never agreed to.

What Readers Can Do

You don’t need to avoid necessary scans, but there are practical steps to protect your data:

  1. Ask before you scan. Before any imaging procedure, ask your provider: “Do you use AI to interpret my images, and if so, how? What happens to my images after they’re read? Are they shared with any third parties for AI training?” Legitimate practices should be able to give you a clear, written privacy notice.

  2. Request details on data storage. Find out how long your images are kept, where they are stored (on-site or cloud), and what security measures are in place. Ask if you can request deletion after you no longer need them.

  3. Read consent forms carefully. Many hospitals now include blanket consent for using your data in research or AI development. You have the right to opt out. If the form is vague, ask for clarification.

  4. Use patient portals responsibly. If you access your own images through a portal, make sure your account has a strong, unique password and two-factor authentication if available. Avoid downloading and storing images on public or shared devices.

  5. Know your rights under HIPAA. You are entitled to a copy of your medical records, including images. You can request an accounting of disclosures — a list of who has seen your data. If you suspect misuse, you can file a complaint with the Office for Civil Rights.

  6. Monitor for signs of medical identity theft. Watch for unexpected bills, insurance claims for procedures you never had, or letters about new medications you never took. If something seems off, contact your provider and insurer immediately.

The Road Ahead — and What’s Being Done

Researchers and policymakers are aware of the problem. The RSNA study itself called for “robust detection systems” and “ethical guidelines” for generative AI in medicine. Some professional societies are developing standards for securing imaging data and verifying authenticity.

A few states — including California and New York — have introduced bills that would require explicit patient consent before medical images can be used to train commercial AI models. Federal interest is growing as well, but legislation moves slowly.

For now, the most effective protection is your own awareness. Medical AI has real potential to improve diagnosis and care. But like any powerful tool, it needs guardrails. Understanding the risks and asking the right questions can help ensure your health data stays yours.

Sources

  • RSNA 2026: “Deepfake X-Rays Fool Radiologists and AI.” Radiological Society of North America, March 2026.
  • RSNA 2026: “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA News, May 2026.
  • U.S. Department of Health and Human Services. “Your Rights Under HIPAA.” hhs.gov.
  • State legislative proposals on medical data privacy, California AB 351 and New York A.6800 (2025–2026 sessions).