Medical Imaging AI Raises Privacy Red Flags: What Patients Need to Know

Artificial intelligence is transforming how doctors read X-rays, CT scans, and MRIs. Algorithms can now spot tumors, measure organ size, and even predict future health risks from a single image. But the same technology that speeds diagnosis also creates new ways for your personal health data to leak, be re-identified, or sold without your knowledge.

A recent report from the Radiological Society of North America (RSNA) highlights privacy vulnerabilities in medical imaging AI. As hospitals adopt these tools rapidly, patients may not realize how much information leaves their body scans—and where it ends up.

What happened

At the RSNA annual meeting, researchers presented findings on how AI models used in radiology can inadvertently expose patient data. The report details several risk pathways:

  • Data re-identification: Even after removing names and dates, AI can match scans to individuals using facial features, unique anatomy, or metadata hidden in image headers.
  • Unauthorized commercial use: Some AI vendors train algorithms on hospital data and then resell those models—or the derived data—to insurers, employers, or marketing firms.
  • Cloud storage vulnerabilities: Many hospitals outsource AI processing to third-party cloud platforms. If those providers have weak security, a breach can leak thousands of scans at once.

A related RSNA special report from May 2025 warned that large language models (LLMs) introduce additional cybersecurity threats in radiology. For example, an attacker could query an LLM that has access to imaging reports and extract private patient details.

Another development adds urgency: AI tools can now extract body composition data—like muscle mass, fat distribution, and bone density—from routine chest X-rays. That extra layer of sensitive information makes each scan more valuable to data brokers and more dangerous if exposed.

Why it matters for patients

Medical imaging is intensely personal. A chest X-ray reveals not only your lungs but your heart size, breast tissue, and spinal alignment. A brain MRI can show signs of dementia years before symptoms appear. If this data leaks, you face risks beyond embarrassment:

  • Insurance discrimination – Insurers could use imaging-derived biomarkers to deny coverage or raise premiums.
  • Employment bias – Employers might access health predictions from routine scans.
  • Identity theft – Medical images contain enough unique identifiers to impersonate you in healthcare systems.

What makes this especially tricky is that patients rarely sign explicit consent for AI processing. The standard “treatment, payment, operations” consent in most hospitals does not cover using your scans to train commercial algorithms. Yet many AI vendors do exactly that.

Steps patients can take to protect their imaging data

No single action guarantees privacy, but these steps reduce your exposure:

  1. Ask your provider about AI use before the scan.
    Questions to ask: “Will any AI software process my images? If so, which company provides it? Is my data de-identified? Do you share it with third parties for training?”

  2. Request a data-use notice.
    Hospitals are required to give you a “Notice of Privacy Practices” under HIPAA. Ask specifically how AI vendors handle your medical images. If the notice is vague, push for written clarification.

  3. Check if you can opt out of AI research.
    Many institutions allow patients to decline having their data used for research or algorithm training. The opt-out form may not be prominently displayed—ask the radiology department directly.

  4. Use your portal to track image access.
    Patient portals often log who viewed your records. If you see unfamiliar entities (especially companies not involved in your care), flag it to the privacy office.

  5. Consider encryption for digital copies.
    If you download your images, store them in an encrypted folder or use a secure cloud service with end-to-end encryption. Avoid uploading scans to free AI analysis websites—they often harvest data for their own models.

  6. Support stronger regulations.
    Write to your state legislators and members of Congress urging them to close loopholes that allow commercial use of medical images without explicit patient consent. Current HIPAA rules were written before AI became pervasive.

What hospitals and regulators should do

The RSNA report recommends that hospitals perform privacy impact assessments before deploying any imaging AI, and that vendors disclose exactly what data is collected and how long it is retained. On the regulatory side, the Federal Trade Commission and HHS need to clarify that training AI on patient scans without notice is an unfair practice. Some experts also call for a federal law requiring opt-in consent for any secondary use of medical images.

Sources

  • Report from the Radiological Society of North America (RSNA) on privacy vulnerabilities in medical AI. Presented at RSNA annual meeting, 2025/2026.
  • “Special Report Highlights LLM Cybersecurity Threats in Radiology,” RSNA, May 14, 2025.
  • “AI Tool Extracts Body Composition Data from Routine Chest X-Rays,” RSNA, May 19, 2026.
  • HIPAA Privacy Rule, 45 CFR § 164.500 et seq.

Note: The specific attack vectors and data flows described in the RSNA report are based on conference presentations and preprints; some details may be refined in final peer-reviewed publications.