Medical Imaging AI: Are Your Scans Raising New Privacy Risks?

Medical Imaging AI: Are Your Scans Raising New Privacy Risks?

Artificial intelligence is transforming how radiologists interpret X-rays, MRIs, and CT scans—speeding up diagnoses and sometimes catching details a human eye might miss. But as AI becomes more deeply embedded in medical imaging, a less visible issue is drawing attention: the privacy of your health data. A recent presentation at the Radiological Society of North America (RSNA) highlighted that the very tools making scans smarter may also be creating new vulnerabilities for patients.

What Happened

At RSNA’s annual meeting, researchers outlined what they called a “Pandora’s box” of privacy risks tied to AI in medical imaging. The core problem is that AI systems often require large datasets of medical images to train and validate their algorithms. Those datasets may contain far more than just the anatomical details needed for diagnosis. Patient names, dates of birth, and other identifiers can be embedded in image file metadata. Even when names are stripped away, facial features visible in a head CT or MRI can sometimes be used to re-identify a person. And the AI models themselves can inadvertently memorize specific patient data, raising the possibility that an attacker could extract identifiable information from a model’s outputs.

The presentation cited multiple pathways for exposure: data shared with third-party AI vendors, cloud storage of images, and the use of patient scans in research databases without explicit consent for AI development. While the full findings have not yet been peer-reviewed, they align with growing concerns across digital health about how data flows when AI is involved.

Why It Matters

Most people assume that medical images are protected by laws like HIPAA in the United States. And in many traditional settings, they are. But AI introduces complications. HIPAA’s rules were written before machine learning became common in clinical workflows. They cover how “covered entities” (hospitals, clinics, insurers) handle protected health information, but they don’t always extend to how an AI vendor stores or uses data after it leaves the hospital’s network. State laws vary, and some health systems may not fully disclose that your images are being used to train commercial algorithms.

The risks are not theoretical. Researchers have demonstrated that de-identified medical images can be re-identified by matching them with public databases or by extracting metadata that wasn’t properly scrubbed. In one documented case, a hospital shared patient scan data with an AI startup, and the startup later used those scans to train a model sold to other hospitals—without the original patients’ knowledge. There is also the problem of algorithmic bias: if the training data lacks diversity, the AI may perform poorly on certain populations, which is a safety risk that intersects with privacy when data is collected without representative consent.

What Readers Can Do

You don’t need to become a privacy expert to protect yourself, but a few steps can help you make more informed choices.

Ask your provider before a scan. When your doctor orders an imaging exam, ask whether the facility uses AI to analyze images and whether your data may be shared with third parties. Many radiology departments have a consent form that covers this. Read it. If the language is vague (“we may use your data for quality improvement or research”), ask for specifics about AI training.

Request a data-sharing opt-out. Under HIPAA, you generally have the right to request that your health information not be used for certain purposes, including research and marketing. Some facilities allow you to opt out of having your images used in AI training. The process varies, so call the radiology department ahead of time.

Review the facility’s privacy policy. Larger hospital systems and imaging centers publish notices of privacy practices. Look for language about “de-identified data,” “AI vendors,” and “third-party data processors.” If you see terms like “irreversibly de-identified,” be aware that some experts question whether that is truly achievable with medical images.

Support stronger regulations. Patient advocacy groups are pushing for laws that require explicit consent before medical images are used for AI development, as well as transparency about who has access to the data. You can support these efforts by contacting your state representatives or following organizations like the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), which have taken interest in health data privacy.

Sources

• Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA News, May 2026. Link to article (abstract).