Medical AI Scans Your Images—But Who Else Sees Them? Privacy Risks You Should Know

If you’ve had an X-ray, CT scan, or MRI in the last few years, chances are an artificial intelligence system analyzed part of that image. AI tools are now common in radiology—they help detect tumors, flag fractures, and speed up readings. The Radiological Society of North America (RSNA) reported in 2026 that AI integration in medical imaging is accelerating rapidly, with technology exhibitions at their annual meeting showcasing dozens of new diagnostic algorithms.

But as the images become more valuable to AI developers, they also become more attractive to third parties. The same RSNA report raised a quiet alarm: “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” That box contains questions about who sees your scans, how they are used, and what protections you actually have.

What happened

Medical imaging AI works by feeding thousands—sometimes millions—of scans into a deep learning model. Those images come from real patients. Hospitals and clinics often share de-identified scans with researchers or tech companies to train these models. The term “de-identified” means that direct identifiers like your name, date of birth, and Social Security number are stripped away.

But de-identification is not foolproof. Researchers have shown that facial features reconstructed from CT scans, or unique anatomical markers, can sometimes be used to re-identify individuals. Metadata embedded in image files—such as scanner serial numbers, timestamps, and institution codes—can also link images back to a specific person when combined with other data. A 2025 study from the University of Chicago demonstrated that a simple search of public radiology datasets could match scans to patients in public records.

Beyond re-identification, there are concerns about how images are stored and shared. Many hospitals now rely on cloud providers like Amazon Web Services or Google Cloud to store and process medical images. While these services often claim strong security, a breach in 2024 involving a third-party AI vendor exposed over 700,000 radiology reports and associated images. The incident was one of several that prompted the RSNA to publish its privacy-focused report.

Why it matters

For patients, the issue is simple: your medical images are intimate records of your body. They can reveal everything from a lung nodule to a pregnancy to the shape of your internal organs. When these images are used to train commercial AI tools without your explicit consent, you lose control over where they end up.

HIPAA—the U.S. health privacy law—provides limited protection here. Once images are de-identified according to HIPAA’s “safe harbor” method (removing 18 specific identifiers), they are no longer considered protected health information under the law. That means they can be shared, sold, or used for research without your permission. The same is true for images stored by cloud service providers that are not directly covered by HIPAA business associate agreements.

Even when consent forms are used, they are often vague. A typical radiology consent form might say “your images may be used for quality improvement or research,” without specifying that a for-profit AI company will train its model on them. Patients rarely realize they can ask for more detail or refuse participation.

What you can do

You do not have to accept these risks passively. Here are concrete steps you can take before your next scan:

  1. Ask about data policies upfront. Call the imaging center or hospital and ask: “How are my images used beyond my own diagnosis? Are they shared with any third parties, including AI companies? Can I see your data-use policy in writing?”

  2. Request an opt-out. Most facilities will allow you to refuse permission for your images to be used in research or AI training. This may not be available at all institutions, but it is always worth asking. You can request a notation in your record that your data should not be shared.

  3. Inquire about de-identification methods. If the facility does share images for training, ask whether they use full de-identification (removing metadata and reconstructed faces) or just basic removal of names. Some centers now use “differential privacy” techniques to add noise to data before sharing, which makes re-identification harder.

  4. Check for a patient privacy officer. Larger hospitals have a dedicated privacy office. You can ask to speak with them about your concerns. They are required to explain your rights under HIPAA.

  5. Read consent forms carefully. Look for language about “commercial use,” “data sharing,” or “secondary research.” If you see such phrases and do not agree, ask to sign a modified consent that excludes those uses. You have the right to limit how your data is used, though some providers may refuse and refer you elsewhere.

  6. Consider a privacy-focused imaging center. A small number of independent radiology practices now advertise that they do not share any patient data for AI training. These are rare, but worth seeking out if privacy is a high priority for you.

Sources

  • Radiological Society of North America (RSNA), “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” 2026.
  • University of Chicago study on re-identification of medical images, 2025 (published in Radiology).
  • HHS Office for Civil Rights, guidance on de-identification under HIPAA.
  • News reports on 2024 third-party AI vendor breach (700,000+ records exposed).

This article is for informational purposes only and does not constitute legal or medical advice. Privacy laws and policies vary by country and institution.