Medical AI Privacy Risks: What You Need to Know About Your Medical Images
Artificial intelligence is increasingly used to read X-rays, CT scans, and MRIs. Many hospitals now rely on AI tools to flag abnormalities, prioritize urgent cases, and even generate reports. The technology can improve accuracy and speed, but it also introduces a set of privacy risks that patients rarely consider.
Recent research presented at the Radiological Society of North America (RSNA) has shown that deepfake X-rays can fool both radiologists and AI systems. While the study focused on diagnostic fraud, it highlights a broader concern: medical images are digital files that can be manipulated, shared, and used far beyond your original clinical visit.
What Happened: AI in Radiology Creates New Vulnerabilities
In 2025, RSNA researchers demonstrated that synthetic X-ray images—created using generative AI—are convincing enough to deceive trained radiologists and commercial AI diagnosis tools. These deepfake images could theoretically be inserted into medical records to falsify injuries, evade detection, or commit insurance fraud.
But the privacy angle is less about deepfakes and more about how medical images are handled. Many AI systems require vast datasets to train their algorithms. These datasets may contain millions of images from patients who never explicitly consented to their data being used for research or commercial product development. Some hospitals and imaging centers share de-identified images with third-party AI vendors, cloud storage services, or academic collaborators. Anonymization is standard practice, but it is not foolproof. Researchers have repeatedly shown that de-identified medical images can sometimes be re-identified using metadata, facial features reconstructed from CT scans, or by cross-referencing with other data sources.
The RSNA has also noted that the growing number of AI applications in radiology—from the largest AI showcases at RSNA 2025 to routine clinical deployment—means more parties have access to patient images than ever before. This expands the attack surface for data breaches, unintended leaks, and misuse.
Why It Matters for Patients
Your medical images contain far more information than the diagnosis itself. A chest X-ray reveals body shape, bone structure, and sometimes even identifiable facial features. CT scans can include enough anatomical detail to identify individuals. If that data is used to train an AI model, it may persist in the model’s training set or be exposed if the model is published or stolen.
The privacy implications go beyond the risk of a data breach. Once an image is shared, you lose control over its use. It could be used to train an AI system that is later sold to insurance companies, employers, or law enforcement—without your knowledge. Patients already have limited control over how their images are used beyond direct clinical care, and current laws do not fully cover these scenarios.
HIPAA provides some protections for medical records, including images, but it applies to covered entities (hospitals, clinics) and their business associates. If a third-party AI vendor is not a business associate—or if the images are de-identified in ways that don’t meet HIPAA’s safe harbor standards—those protections may weaken. Emerging regulations, such as those proposed in the EU AI Act or state-level privacy laws in the U.S., seek to address these gaps, but enforcement is still evolving.
What You Can Do to Protect Your Medical Data
You can’t fully control what happens after an image is taken, but you can take steps to reduce your exposure.
Ask about data use policies. Before an imaging procedure, ask your provider or the radiology department how your images will be used. Will they be shared with AI vendors? Stored in the cloud? Used for research? If the answer is vague, request a written description. You have the right to know.
Request anonymization whenever possible. If you are participating in a research study or donating your images for training, make sure the facility has strong de-identification procedures. Ask whether facial features or other identifiable markers are removed.
Opt out of secondary use. Many hospitals give patients the option to opt out of having their data used for research or product development. This may be in a consent form buried in intake paperwork. Look for it and check the box that limits use to your direct care only.
Consider where your images are stored. If you receive copies of your images on a CD or through a patient portal, treat them as sensitive data. Avoid uploading them to unsecured cloud storage or sharing them on social media (some people post MRI scans for curiosity—don’t).
Read the fine print on AI tools. Some consumer-facing health apps now allow users to upload medical images for AI analysis. Before you do, check the app’s privacy policy. Many of these apps may retain and use your images to improve their own AI systems.
Stay informed about your rights. HIPAA was written before AI imaging became common. Some newer state laws, like the California Privacy Rights Act or Colorado’s AI law, offer additional protections. Familiarize yourself with what applies where you live.
Sources
- Radiological Society of North America. “Deepfake X-Rays Fool Radiologists and AI.” RSNA, March 2026.
- Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA, May 2026.
- Radiological Society of North America. “RSNA 2025 Technical Exhibits Feature Largest Radiology AI Showcase.” RSNA, September 2025.
- U.S. Department of Health & Human Services. HIPAA Privacy Rule. 45 CFR Parts 160 and 164.