Medical AI Imaging Raises Privacy Red Flags: What Patients Need to Know

Artificial intelligence is making medical imaging faster and more accurate. Algorithms can now spot tumors, measure bone density, or flag suspicious lesions from a chest X-ray in seconds. But as radiology departments adopt these tools, a less discussed side effect is emerging: new routes for your private health data to slip out of your control.

A report presented at the Radiological Society of North America (RSNA) meeting earlier this year warns that AI in medical imaging “opens a Pandora’s box of privacy‑related risks.” The paper, titled Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks, details several ways that patient images and their associated metadata can be exposed, misused, or re‑identified. For patients, the message is not to avoid AI‑assisted care, but to become more aware of what happens to their scans after the radiologist reads them.

What happened

The RSNA report (published in Radiology, the society’s peer‑reviewed journal) describes how AI systems often require large datasets of medical images for training and validation. These datasets are usually built from clinical records, sometimes without explicit patient consent for secondary use. Even when data is de‑identified, researchers have shown that facial features or unique bone structures in a 3D scan can be matched to a specific person. The report also highlights that DICOM metadata—the technical information attached to every digital image, such as patient name, birth date, and hospital ID—is not always stripped before images are shared with AI vendors. If that metadata remains intact, a data breach could expose far more than just an X‑ray.

Why it matters

For patients, the consequences range from embarrassing leaks to serious identity theft. Medical images are among the most sensitive pieces of personal data. They can reveal not just a diagnosis, but also genetic markers, body shape, and even emotional state (some MRI scans show brain activity). Once an image is uploaded to a cloud‑based AI service, you lose practical control over who can see it, copy it, or sell it.

The report notes that several real‑world incidents have already occurred: in one case, a radiology AI vendor used patient scans to train a commercial product without notifying the hospitals involved. In another, DICOM metadata leaked through a misconfigured cloud bucket. While HIPAA in the United States and GDPR in Europe place some restrictions on how health data can be used, these laws have gaps. HIPAA, for instance, does not cover all AI vendors—only “covered entities” and their business associates. A startup that builds a diagnostic algorithm but doesn’t have a direct contract with a hospital may fall outside those rules. GDPR grants individuals more control, but enforcement across borders is inconsistent.

The RSNA report calls for better transparency: patients should be told when an AI tool is used on their images, what data leaves the hospital, and how long it is retained. Currently, most consent forms do not mention AI analysis at all.

What readers can do

You don’t have to become a privacy expert, but a few practical steps can reduce your exposure:

  1. Ask your doctor or radiologist whether an AI tool will be used on your scan and whether any images will be shared with a third‑party company. You have the right to know.

  2. Read the consent form before signing. If the form says something vague like “images may be used for research or quality improvement,” ask for specifics. You can often opt out of secondary use without affecting your care.

  3. Request a copy of your image data from the hospital’s medical records department. In many jurisdictions, you are entitled to receive your own DICOM files. Storing them locally gives you control—just be cautious about who you share them with later.

  4. Use a patient portal whenever possible. Portals let you view reports and images, and they usually log who accesses your data. If you see something unusual, report it.

  5. Limit sharing on social media or cloud storage. Some patients post their own scans online for crowdsourced opinions. That bypasses all institutional safeguards and can be scraped by companies you know nothing about.

  6. Report privacy concerns to your hospital’s privacy officer or to the relevant regulatory authority (such as the Office for Civil Rights in the U.S. or your local data protection authority in the EU).

Sources

  • Radiological Society of North America, “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks,” Radiology, presented at RSNA 2025 annual meeting. Link to RSNA news release (summary).

  • HIPAA Privacy Rule, 45 CFR § 164.500 et seq.

  • General Data Protection Regulation (EU) 2016/679, Articles 9 and 22.

  • Additional background: “Special Report Highlights LLM Cybersecurity Threats in Radiology,” RSNA, May 2025. Link.

Last updated: May 2026