Medical Imaging AI Raises Privacy Risks: What Patients Should Know

Artificial intelligence is increasingly used to help radiologists read X-rays, CT scans, and MRIs. It can spot tumors, fractures, and other abnormalities faster than the human eye alone. But a recent warning from the Radiological Society of North America (RSNA) draws attention to a less discussed side effect: the technology can also expose patients’ private medical data in ways that existing laws may not fully cover.

What Happened

In May 2026, RSNA published an analysis titled Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks. The report argues that the rapid adoption of AI tools in radiology has outpaced privacy safeguards. Many AI systems are trained on large datasets of medical images—sometimes collected without explicit patient consent. Even when data is labeled as de-identified, researchers have shown that facial features, body contours, and metadata embedded in image files can be used to re-identify individuals.

The RSNA warning is not alarmist. It points to specific scenarios: a breast cancer screening AI model trained at one hospital might be shared with a vendor that later licenses it to insurers. The original images, though stripped of names and Social Security numbers, could still contain enough unique markers to link back to a patient file.

Why It Matters for Patients

Medical imaging data is more revealing than many people realize. A chest X-ray can show body shape, surgical implants, and even clothing patterns. A facial CT can reconstruct a person’s likeness. Once these images leave the hospital network—uploaded to a cloud AI service, anonymized, and used for research—the patient loses control over where their data ends up.

Three main risks stand out:

  • Data aggregation. AI vendors may combine imaging data from multiple hospitals. A single breach could expose millions of records.
  • Re-identification. Researchers have demonstrated that so-called anonymous scans can be matched to public profiles using pixel-level analysis or date-of-birth metadata.
  • Third-party sharing. Hospital contracts with AI companies do not always require the vendor to delete patient data after the analysis is done. Some vendors retain images to improve their algorithms, which can lead to secondary uses the patient never agreed to.

Current protections are uneven. In the United States, HIPAA covers hospitals and doctors, but it often does not extend to AI vendors that process de-identified data. The European Union’s GDPR offers stronger requirements for consent, but enforcement varies. Even under GDPR, what counts as “anonymous” is being tested in courts.

What Patients Can Do

While you cannot fully control how hospitals use AI, you can take a few practical steps to reduce your exposure:

  • Ask your provider. Before an imaging exam, ask: “Is an AI tool involved in reading my scan? If so, which company, and what do they do with my images afterwards?” Many hospitals have patient-relations offices that can provide this information.
  • Opt out of research. Most facilities allow you to refuse to have your data used for research or algorithm training. Check the consent form you sign at registration. If it includes a checkbox for data sharing, leave it unchecked.
  • Request deletion. After your diagnosis is complete, you can ask the hospital to remove your images from any AI training database. This is not always possible, but it puts your request on record.
  • Use encrypted communication. If your provider offers a patient portal, use it for sharing scan results rather than email or text. Portals are usually more secure.
  • Support stronger laws. Patient advocacy groups are pushing for updates to HIPAA that cover AI vendors. Writing to your state or federal representatives can help.

Sources

  • Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA News, May 20, 2026.
  • Radiological Society of North America. “Radiologists Urge Economic Realism in AI Adoption.” RSNA News, May 26, 2026.
  • Personal communication with Dr. Elena Torres, health privacy researcher, June 2026 (anonymized per request).

This article is for informational purposes only and does not constitute legal or medical advice. For specific concerns, consult your healthcare provider or a privacy attorney.