Medical Imaging AI Raises New Privacy Risks: What Patients Should Know
AI is increasingly used to analyze X-rays, MRIs, and CT scans, helping radiologists detect diseases faster and sometimes more accurately. But this technology also introduces privacy risks that many patients are not aware of. Recent reports from the Radiological Society of North America (RSNA) and independent studies show that medical imaging AI can expose more than just the condition you are being scanned for—it can reveal biometric data, infer health risks, and potentially be used in ways you never consented to.
What happened
In May 2025, the RSNA published a special report titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks” that focused on large language model (LLM) cybersecurity threats in radiology. The report cautioned that AI systems handling imaging data can be vulnerable to attacks that extract patient information or manipulate results.
Shortly after, in May 2026, researchers demonstrated an AI tool that can extract detailed body composition data—such as muscle mass, fat distribution, and bone density—from routine chest X-rays. While this capability could be clinically useful, it also means a single image can be mined for sensitive information far beyond the original indication. For example, your chest X-ray for a cough might reveal not just your lung health but also your approximate age, sex, and even indicators of osteoporosis or metabolic disorders.
Why it matters
The privacy risks are not hypothetical. Medical images contain far more information than what meets the eye. Because AI can find patterns invisible to humans, it can re-identify anonymized scans, infer race, or predict future health conditions. If these images are stored or processed by third-party AI vendors, they may not be fully protected by HIPAA, which primarily covers healthcare providers and insurers, not necessarily every company that builds or hosts AI models.
A data breach of an imaging AI system could lead to identity theft, insurance discrimination, or even blackmail. Even if the data is de-identified, AI techniques can sometimes re-link it to individuals. And many patients are not told that AI is being used on their scans, nor are they given a clear way to opt out.
What readers can do
You have more control than you may think. Here are practical steps to protect your privacy before your next imaging exam:
- Ask whether AI is used. When scheduling a scan, ask your doctor or the imaging center: “Will AI be used to analyze my images? If so, which vendor and what data will they receive?” Some facilities are transparent; others may not have clear policies.
- Read the consent form carefully. Many forms include broad language that allows use of your data for “research” or “quality improvement.” That can include training commercial AI models. If you are uncomfortable, ask to cross out that clause or request a form that limits data use.
- Request de-identification by default. Ask if your images can be stripped of metadata (name, date of birth, medical record number) before being processed by AI. This may reduce some risks, though not completely prevent re-identification.
- Understand data retention policies. Ask how long your images will be stored and who can access them. Some facilities retain data indefinitely.
- Choose a facility with strong security practices. Look for imaging centers that have published privacy policies or use encryption and access controls. You can also check if they are accredited by organizations like the Joint Commission, which requires data safeguards.
- Opt out of research unless you consent explicitly. You have the right to refuse to have your data used for AI development. Write down your preference and ask the staff to flag your record.
Sources
- Radiological Society of North America. “Special Report Highlights LLM Cybersecurity Threats in Radiology.” May 14, 2025.
- Radiological Society of North America. “AI Tool Extracts Body Composition Data from Routine Chest X-Rays.” May 19, 2026.
- U.S. Department of Health and Human Services. “HIPAA Privacy Rule.” (For understanding legal protections and gaps.)