Medical AI Privacy Risks: Are You More Exposed Than You Think?
If you’ve used a symptom checker, a mental health chatbot, or a wellness app powered by artificial intelligence, you’ve shared personal health information with a system that may not treat everyone’s data equally. A recent study published on Telehealth.org has shed light on an uncomfortable truth: the privacy risks posed by medical AI tools are not evenly distributed. Some patients are more exposed than others, often in ways that reflect existing disparities in healthcare.
This article walks through what the study found, why it matters for your health data, and what you can do to reduce your exposure.
What Happened
The Telehealth.org study, published in July 2026, analyzed how medical AI tools collect, process, and share patient data. The researchers found that patients with chronic conditions, members of minority groups, and individuals seeking care for sensitive issues (mental health, reproductive health) face higher data exposure risks compared to other users.
Why? Two main reasons. First, these groups tend to use AI health tools more frequently or for longer periods, generating more data points. Second, AI models may profile patients based on demographic or clinical patterns, and those profiles can be shared with third parties in ways that make re-identification easier. The study notes that current consent practices often don’t account for these unequal exposures—a one-size-fits-all privacy notice can leave higher-risk patients unaware of how their specific data is being handled.
These findings align with broader trends. The HIPAA Journal has documented rising healthcare data breaches, with over 700 incidents reported in 2025 alone. And the American Psychological Association issued a health advisory in late 2025 warning that generative AI chatbots and wellness applications for mental health may collect data that can be used for purposes beyond the intended therapy, such as marketing or insurance risk assessments.
Why It Matters
Health data is uniquely sensitive. Unlike a credit card number, you cannot change your medical history. Once collected by an AI system, that information may be sold, leaked, or used to make decisions about your insurance coverage, employment, or treatment options.
The Telehealth.org study’s finding that exposure risks are higher for certain groups raises equity concerns. If a diabetes management app shares your blood glucose levels with an advertiser, you might see targeted ads for insulin—but if the same app shares data with an insurer, you could face higher premiums. Meanwhile, a patient using a mental health chatbot who reveals suicidal thoughts may find that information used to flag them as high-risk without their knowledge.
The National Academy of Medicine has called for better governance of AI in health settings outside hospitals and clinics. JD Supra’s “Decoded” newsletter from July 2026 highlights that regulatory gaps remain, particularly for direct-to-consumer AI health apps that are not covered by HIPAA. And Trend Micro’s research on exposed DICOM servers (used for medical imaging) shows that even backend infrastructure can leak patient data when AI systems are poorly integrated.
What Readers Can Do
You don’t have to stop using helpful AI health tools, but you can take steps to assess and reduce your data exposure. Here are practical actions:
Read the privacy policy – and look beyond the summary. Many apps bury meaningful disclosures in dense legal text. Search for terms like “share,” “sell,” “third party,” “anonymize,” and “re-identify.” If the policy says data is “de-identified,” check whether they use a standard like HIPAA’s Safe Harbor or expert determination. De-identification is not absolute.
Ask what data the AI tool needs. Some apps request access to your contacts, location, or phone storage when those permissions are unnecessary for the health function. Decline or limit access. If you cannot use the app without granting excessive permissions, consider an alternative.
Check whether the app is covered by HIPAA. Most consumer health apps are not subject to HIPAA unless they are offered by a covered entity (hospital, insurance plan) or its business associate. If the app is sold directly to you with a disclaimer, your data may have fewer legal protections.
Use a separate email and limited profile information. Avoid signing up with your main email address or providing your real name, date of birth, or address unless medically necessary. Some apps allow pseudonymous use.
Ask about data retention and deletion. Before entering personal information, find out how long the app keeps your data and whether you can delete it. Some tools allow you to delete your account and all associated data; others only deactivate the account while retaining the data.
Consider encrypting your communications. If the app offers end-to-end encryption for messages (common in mental health chatbots), use it. Without encryption, your conversations could be read by the company or intercepted.
Be cautious with symptom checkers and diagnosis bots. While these can be useful, they often accumulate a history of your symptoms. Limit the information you provide to what is necessary for the immediate query.
Sources
- Telehealth.org (July 2026). “Medical AI Privacy Study Finds Some Patients Face Greater Data Exposure Risks.”
- HIPAA Journal (June 2026). “Trends In Healthcare Data Breach Statistics.”
- American Psychological Association (November 2025). “Health advisory: Use of generative AI chatbots and wellness applications for mental health.”
- National Academy of Medicine (February 2025). “Advancing Artificial Intelligence in Health Settings Outside the Hospital and Clinic.”
- JD Supra “Decoded” Newsletter (July 2026). “Technology Law Insights, V 7, Issue 6, 2026.”
- Trend Micro (May 2026). “A Hidden Vulnerability in Healthcare: Exposed DICOM Servers and the Risk to Patient Data.”