Medical AI Privacy Risks: What Patients Should Know About Their Scans

Medical imaging has become one of the most powerful tools in modern diagnosis, and AI is accelerating that progress. Algorithms can now spot tumors, measure organ volumes, and flag abnormalities faster than many radiologists. But this rapid adoption has a less-publicized side: patient privacy is increasingly at risk, and some of those risks are new.

Recent research presented at the Radiological Society of North America (RSNA) 2026 meeting highlighted a troubling development: deepfake X-rays can fool both radiologists and the AI systems designed to detect fraud. The same technology that enables AI to read scans can also be turned against patients and providers.

What the RSNA Study Found

Researchers demonstrated that synthetic medical images — realistic enough to fool trained experts — could be generated using publicly available techniques. In controlled tests, both human radiologists and AI diagnostic tools misidentified deepfake chest X-rays as genuine patient scans. The study did not claim this is widespread yet, but it proved the concept is feasible. If bad actors can insert a manipulated scan into a hospital’s system, the consequences range from misdiagnosis to fraudulent insurance claims.

The RSNA abstract notes that these synthetic images include not only the visual data but also embedded metadata (patient name, date of birth, exam details) that thieves could exploit. Without proper safeguards, an attacker could swap a real scan with a fake one — or extract sensitive data from image headers.

Why It Matters for Patients

You might assume your medical images are safely locked inside a hospital’s network. In reality, radiology images are often shared across multiple providers, stored in cloud systems, and accessed by third-party AI vendors. Each handoff is a potential leak point. A 2024 study in the Journal of Medical Imaging found that over 60% of imaging centers still transmit images without full encryption, and metadata removal is inconsistent.

Here’s the practical risk to you:

  • Misdiagnosis or delayed diagnosis. If someone swaps your lung scan with a deepfake that looks healthy, a real nodule might be missed — or vice versa, leading to unnecessary procedures.
  • Insurance and billing fraud. A fake scan could be used to justify expensive treatments, and your insurance could be billed for services you never received.
  • Identity theft. Medical images are rich in personally identifiable information. Name, birthdate, address, and insurance ID can be extracted from metadata or the image itself.
  • Blackmail or discrimination. Abnormal scans (e.g., HIV-related findings, mental health imaging) could be leaked or sold.

What Patients Can Do

You can’t control how every hospital manages its data, but you can take a few practical steps to reduce your exposure.

  1. Ask about encryption before your scan. When scheduling, ask: “Do you encrypt medical images when storing or sharing them with other providers?” If the answer is uncertain, consider requesting that your images be shared only via a secure patient portal, not email or unencrypted cloud links.

  2. Check your rights under HIPAA or GDPR. In the U.S., HIPAA gives you the right to request an accounting of who has accessed your medical images. Under GDPR in Europe, you have the right to ask for deletion of images that are no longer needed for care. Use those rights if you suspect a leak.

  3. Use secure portals, not personal cloud storage. If your provider offers a patient portal with built-in image viewing (like a DICOM viewer), use it. Avoid downloading scans and then uploading them to Dropbox, Google Drive, or any consumer cloud service — those files often retain metadata.

  4. Ask if AI is used — and how patient data is protected. Many imaging centers now use AI tools from third parties. Ask: “Is the AI hosted on-site or in the cloud? Are images de-identified before being sent to an AI vendor?” Some vendors require identifiable data for algorithm training, which creates additional privacy risk.

  5. Review your medical records periodically. Request a copy of your radiology reports and associated images every year or two. Look for scans or reports you don’t recognize — they could be evidence of fraud or data misuse.

The Bigger Picture

The RSNA findings don’t mean you should avoid essential medical imaging. But they do underline that the technology you trust for diagnosis needs better privacy safeguards. As AI becomes embedded in radiology workflows, both regulators and healthcare providers need to treat medical images as the sensitive data they are. For now, the best defense is informed caution: ask questions, use secure channels, and stay aware of what’s being done with your scans.

Sources

  • RSNA 2026 abstract: “Deepfake X-Rays Fool Radiologists and AI” – summary of findings presented at the annual meeting.
  • U.S. Department of Health and Human Services – HIPAA Privacy Rule: patient rights to access and request accounting of disclosures.
  • Journal of Medical Imaging (2024) – survey of encryption practices at U.S. imaging centers.