Medical AI Privacy Risks: What You Need to Know About Your Scan Data

Medical AI Privacy Risks: What You Need to Know About Your Scan Data

Medical imaging has become smarter and faster thanks to artificial intelligence. Algorithms now help radiologists spot tumors, fractures, and other abnormalities in X-rays, CT scans, and MRIs. But there’s a growing concern that the same technology can be turned against patients. Recent research from the Radiological Society of North America (RSNA) shows that medical imaging AI opens a Pandora’s box of privacy-related risks, including the ability to create fake X-rays that fool human experts and automated systems. If you’ve ever had a scan, your data may already be part of an AI training set—often without your explicit knowledge or consent.

This article explains what those risks are and, more importantly, what you can do to protect yourself.

What Happened

In March 2026, RSNA published findings demonstrating that generative AI can produce realistic fake X-ray images that are indistinguishable from real ones, even to trained radiologists. These deepfake medical images could be used to mislead a diagnosis, commit insurance fraud, or steal a patient’s identity. The research also highlighted that the vast datasets used to train medical AI models are often stored or shared in ways that make them attractive targets for data breaches.

Healthcare data breaches have been climbing for years, and imaging data—because it includes unique anatomical details—is especially valuable. A single patient record containing a chest X-ray and associated metadata (name, date of birth, insurance number) can sell for far more than a credit card number on the black market. The RSNA study is not an isolated warning; it’s part of a growing acknowledgment that the convenience and diagnostic benefits of AI come with real privacy trade-offs.

Why It Matters

There are three main reasons the average patient should care about this.

1. Deepfake X-rays could be used against you. A convincingly forged scan could suggest you have a disease you don’t have, leading to unnecessary treatments or denial of insurance coverage. Conversely, a fake scan that hides a real condition could delay care. The RSNA researchers found that even advanced AI detection tools struggled to spot the fakes.

2. Your data may be used without your say-so. Many hospital systems and imaging centers have agreements with AI developers that allow them to use de-identified patient images to train commercial algorithms. While “de-identified” is supposed to protect privacy, re-identification of medical data has proven possible in several studies. Few patients are told about these arrangements.

3. Breaches are becoming more common and more targeted. In 2025, several large health systems reported incidents where imaging databases were accessed by unauthorized parties. Unlike a stolen credit card that can be canceled, your anatomical data cannot be changed.

What You Can Do

You don’t have to avoid necessary scans to protect yourself. Here are concrete steps that apply to most healthcare systems in the U.S. and many other countries.

• Ask about data sharing before you consent. When scheduling an MRI or CT, ask the facility whether they share images with any third-party AI companies. Many hospitals have a “notice of privacy practices” that mentions this, but it’s often buried in fine print. If you don’t want your images used for AI training, ask if there is an opt-out form. Under some state laws (such as California’s), you may have that right.

• Use patient portals with encryption. Most hospitals offer a secure online portal where you can view and download your images. Avoid storing raw DICOM files on unencrypted USB drives or emailing them to yourself. If a portal uses two-factor authentication, enable it.

• Limit how much information you share on health apps. Some wellness apps encourage you to upload images of, say, a skin lesion or a dental X-ray for AI analysis. Before uploading anything, check the app’s privacy policy to see how your data will be stored, whether it will be sold, and whether it can be deleted later.

• Consider a data deletion request after care is complete. Once you no longer need your images for follow-up appointments, you may be able to request that the facility delete your imaging data from active storage (they are still required to keep medical records for a certain period under law, but can remove your data from AI training sets). The process varies by provider; ask their privacy officer.

• Monitor your medical records for discrepancies. After a scan, review the report in your portal. If you see something that doesn’t match your symptoms or an image that looks off, flag it with your doctor. This is a low-tech but effective way to catch a misattributed or manipulated scan early.

Sources

• Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” March 2026.
• Radiological Society of North America. “Deepfake X-Rays Fool Radiologists and AI.” March 2026.
• U.S. Department of Health and Human Services. “Healthcare Data Breach Reports,” 2024–2025.