Medical Imaging AI Raises New Privacy Risks: What You Need to Know
Introduction
If you’ve had an X-ray, MRI, or CT scan recently, there’s a good chance an artificial intelligence tool helped analyze the images. AI in radiology can speed up detection of fractures, tumors, and other abnormalities, often with impressive accuracy. But these tools come with a trade-off that many patients don’t realize: your medical images may be shared with third‑party vendors, used to train new models, or even stored in ways that make re‑identification possible.
Recent warnings from the Radiological Society of North America (RSNA) have brought these privacy risks into sharp focus. This article explains what’s happening, why it matters to you as a patient, and what practical steps you can take to protect your health data.
What Happened
In May 2026, the RSNA released a report titled “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” The report details how the rapid adoption of AI in radiology has created new vulnerabilities for patient data. Key findings include:
- Many AI models are developed by vendors that are not covered entities under U.S. privacy law. When a hospital sends images to a third‑party AI service for analysis, those images—along with metadata—may be stored, processed, and potentially reused for model training without explicit patient consent.
- De‑identification techniques, once considered safe, can sometimes be reversed. AI methods that reconstruct faces from head CT scans or match images to patient identities have been demonstrated in research settings.
- Consent forms often fail to mention AI analysis or data sharing with external vendors. Patients may unknowingly authorize broad data use when they sign standard imaging release forms.
The RSNA authors stress that these are not hypothetical risks—real‑world incidents have already occurred, and the problem is likely to grow as AI becomes more embedded in clinical workflows.
Why It Matters
For anyone who undergoes medical imaging, the privacy implications are immediate. Your scan contains highly sensitive information: not just the medical findings, but also physical features that could be used to identify you, even after facial features are removed. An MRI of your brain, for example, carries enough structure to potentially link back to your identity.
Current regulations like HIPAA (Health Insurance Portability and Accountability Act) were designed before AI was widespread. HIPAA covers healthcare providers and business associates, but not all AI vendors fall into those categories. When a hospital contracts with an AI company that hosts images on its own servers, the company may not be directly subject to HIPAA’s privacy and security rules. Even when it is, enforcement is inconsistent and penalties are often modest relative to the value of the data.
The RSNA report also highlights that patients have little transparency. You may never be told that your images were sent to an external AI service, let alone asked for permission. As AI models require large, diverse datasets to perform well, the incentive to collect and retain patient images is strong—sometimes overriding privacy considerations.
What Readers Can Do
You don’t have to refuse necessary imaging to protect your privacy. Here are concrete, realistic steps:
Ask your provider about AI use. Before a scan, ask: “Will AI be used to analyze my images? If so, which company’s software? Are my images sent outside this hospital?” Facilities that use on‑device AI (processing done locally) offer stronger privacy protection than those that send data to the cloud.
Review the consent form. Look for language about data sharing, research use, or third‑party vendors. If it’s vague, request clarification. In many cases, you can ask to opt out of data being used for AI training or for secondary purposes beyond your immediate care.
Choose facilities with clear policies. Some hospitals and imaging centers now publish data handling practices online. Prefer those that use anonymization or de‑identification before any external sharing. The best practice is to strip identifiers at the source and never transmit raw images to a vendor when possible.
Leverage patient portals. If you have online access to your medical records, check for any notices about AI use. Some institutions are beginning to disclose these practices through patient portals. If you don’t see anything, send a message to your provider’s privacy officer.
Stay informed about regulatory changes. The RSNA report calls for stronger oversight. Follow updates from the Office for Civil Rights (which enforces HIPAA) and the FDA (which regulates some AI‑based medical devices). Patient pressure often drives policy improvements.
These steps won’t eliminate all risk—the system still has gaps—but they give you more control over your personal health information.
Sources
- Radiological Society of North America (RSNA). “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” May 2026. (Report summary available via RSNA newsroom.)
- U.S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. 45 CFR Parts 160 and 164.
- Cohen, I. G., & Mello, M. M. (2024). “HIPAA and AI: Gaps in the Protection of Health Data.” New England Journal of Medicine, 390(12), 1102–1108. (Discusses regulatory shortcomings relevant to AI.)