Medical Imaging AI Is Putting Your Privacy at Risk — What You Need to Know

Medical Imaging AI Is Putting Your Privacy at Risk — What You Need to Know

Artificial intelligence is changing how doctors read X‑rays, CT scans, and MRIs. It can spot tumors faster, reduce measurement errors, and even detect diseases radiologists might miss. For many patients, that sounds like good news. But there is a less visible side to these tools: the privacy of your medical images.

The Radiological Society of North America (RSNA) recently published a sobering overview of the risks. In a May 2026 article, the society warned that as medical imaging AI becomes more widespread, so do the chances that your private health data could be exposed, re‑identified, or used in ways you never agreed to. The term “Pandora’s box” appears in the article’s title for a reason.

What happened

The RSNA piece outlines how privacy risks arise at several points in the AI pipeline. First, most medical imaging AI is built using large datasets of patient scans. These datasets are often shared among hospitals, research institutions, and private companies. Even when metadata like your name and date of birth are stripped, imaging data can still contain enough information to identify you.

For example, a 3D CT scan of the head can be used to reconstruct a recognizable face. Researchers have demonstrated that algorithms can match such reconstructions to public databases, re‑identifying the patient. In other cases, subtle patterns in the scan—such as unique bone structures or implanted devices—can act as fingerprints. And if the training data is shared with third parties, there is often little oversight over how long they keep it or what they do with it.

The article also points out that many patients are never explicitly told their images will be used to train AI. Consent forms may bury the detail in dense language, or providers may rely on broad “treatment, payment, and operations” clauses that arguably cover AI development. Several recent studies, referenced by RSNA, show that the majority of patients want to be asked before their scans are used for this purpose.

Why it matters for everyday patients

For the average person, the biggest concern is loss of control. Once your medical image is in a research database or a company’s cloud, you have little say over who accesses it. Even if the data is supposedly de‑identified, the re‑identification attacks mentioned above are not just theoretical—they have been demonstrated in academic papers and at security conferences.

A second issue is potential discrimination. Health data is sensitive. If an insurer or employer learns that a scan revealed early signs of a condition (even a false positive), they could use that information against you. Current anti‑discrimination laws, such as the Genetic Information Nondiscrimination Act (GINA), do not cover most imaging results. And while HIPAA sets a national floor for health privacy, it has notable gaps. For instance, HIPAA does not directly regulate companies that receive de‑identified data, even if that data is later re‑identified.

The RSNA article also noted that the legal framework has not kept pace with technology. HIPAA was designed in an era of paper records and simple electronic systems. It was never intended to address AI training over millions of scans, or the global market for health data.

What you can do

You don’t need to be a tech expert to take practical steps.

First, before any imaging procedure, ask your provider a simple question: “Will my images be used to train any AI or research models? If so, can I opt out?” Many hospitals have consent forms that include a checkbox for research participation. If they don’t, ask for one. You have the right to refuse.

Second, read the notice of privacy practices you receive during registration. Look for language about “data sharing for research” or “de‑identified data use.” If it is vague, ask for clarification. You can also request a copy of your imaging records under HIPAA, which gives you the right to access your medical information. While you cannot control how a hospital uses its own AI training data, being aware of the potential use is the first step.

Third, consider encrypting your personal health data if you store it on your own devices. This applies mainly if you download your scans from a patient portal. Most consumer cloud storage services (like iCloud or Google Drive) offer encryption, but not all. Using end‑to‑end encrypted options adds a layer of protection if your device is compromised.

Finally, stay informed about your state’s laws. Some states, like California, have broader health privacy laws (e.g., the California Consumer Privacy Act) that give you more rights to know what data is collected and to request deletion. While these laws are not perfect, they can supplement HIPAA.

The road ahead

The RSNA article is a necessary reminder that medical AI’s benefits come with trade‑offs. As the technology matures, regulators, hospitals, and AI developers will need to work toward clearer consent rules, stronger de‑identification standards, and better enforcement. For now, patients should treat their medical images with the same caution they would any other sensitive document—and ask questions before the scanner starts.

Sources:

• Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” May 20, 2026.
• U.S. Department of Health and Human Services. “HIPAA Privacy Rule.” Accessed via hhs.gov.
• Relevant academic demonstrations of re‑identification from medical images (various, cited in the RSNA article).