Medical AI Scans Your Images, But Who Else Sees Them? The Privacy Risks You Should Know

Artificial intelligence is becoming a standard tool in radiology, helping doctors detect tumors, fractures, and other findings faster than ever. But the same technology that improves diagnosis also creates new avenues for data misuse—some of which researchers are only beginning to understand.

Recent work presented at the Radiological Society of North America (RSNA) shows that AI-generated fake X-rays can fool both human radiologists and the AI systems designed to interpret scans. That finding is just one example of the privacy and security vulnerabilities that come with the rapid adoption of medical imaging AI.

What happened

In March 2026, RSNA published research demonstrating that deepfake X-rays—synthetic images created by generative AI—are convincing enough to deceive trained radiologists and the machine learning models they rely on. The study essentially showed that an attacker could insert a fake tumor or remove a real one from a scan without detection. While the research focused on diagnostic accuracy, the implications for privacy are direct: if a system cannot reliably tell real from fake, then your own medical images could be altered, misattributed, or stolen without a clear forensic trail.

At the same time, the radiology AI market is booming. RSNA’s 2025 technical exhibits featured the largest AI showcase to date, with dozens of vendors offering tools for image analysis, reporting, and data management. Every one of those tools processes patient images, and many upload scans to cloud servers or share them across institutions for model training. The more data collected, the larger the attack surface.

Why it matters

Medical images are not anonymous. Even after metadata is stripped, facial reconstruction software can recognize individuals from CT and MRI head scans. Researchers have shown that chest X-rays can be linked back to patients using anatomical features. These re-identification risks mean that a leaked imaging dataset can do real harm—whether through insurance discrimination, blackmail, or identity theft.

Beyond re-identification, there is the question of consent. Many imaging AI tools are trained on thousands of scans, often without explicit patient permission for that specific use. While HIPAA and GDPR allow some secondary research, the boundaries are fuzzy, especially when data crosses borders or is handled by third-party AI vendors. Patients rarely know where their scan went after it left the radiologist’s workstation.

Deepfake X-rays add another layer: if a malicious actor gains access to a hospital’s imaging system, they could inject false scans into a patient’s record, leading to wrong treatment or false claims. The risk is not theoretical—similar attacks have already been demonstrated on other medical devices.

What readers can do

You do not need to become a cybersecurity expert, but a few practical steps can reduce your exposure.

  • Ask your provider about AI use. When you get an X-ray, CT, or MRI, ask whether AI tools will analyze your images and whether the data will leave the hospital. Most facilities have a privacy officer who can give you a straight answer.
  • Request a copy of your images. Under HIPAA (in the US) and GDPR (in Europe), you have the right to access your medical records, including image files. Storing your own copies gives you a baseline to compare against if someone later alters the official record.
  • Read the consent forms. Many imaging centers bury broad data-sharing permissions in fine print. If you are uncomfortable, ask to opt out of research-sharing while still receiving care. Some institutions will honor that request.
  • Keep an eye on your explanation of benefits. If you receive a bill for an imaging test you did not have, report it immediately. It could be a sign that someone used your identity—or a fake scan—to file a fraudulent claim.
  • Support transparency requirements. Regulations are still catching up. Let your elected representatives know that you want clear rules on AI in healthcare, including mandatory disclosure when AI is used in diagnosis and mandatory audits of data security practices.

Future outlook

Regulatory bodies are starting to move. The FDA has begun requiring more transparency from AI-based medical devices, and both HIPAA and GDPR are being updated to address modern data-sharing practices. But the pace is slow compared to technology. For now, the strongest protection is an informed patient who asks questions and holds providers accountable.

The RSNA deepfake research is a useful wake-up call. It shows that the same generative AI that can improve medical imaging can also undermine it. Responsible use of AI in healthcare depends not just on better algorithms, but on better data governance, patient consent, and security standards. Until those are in place, every scan you get carries a small but real privacy risk.

Sources

  • RSNA: “Deepfake X-Rays Fool Radiologists and AI” (March 2026)
  • RSNA: “RSNA 2025 Technical Exhibits Feature Largest Radiology AI Showcase” (September 2025)
  • General HIPAA and GDPR provisions regarding medical data access and consent