Medical Imaging AI Raises Serious Privacy Risks: What Patients Need to Know

If you’ve ever had an X-ray, MRI, or CT scan, those images now live somewhere in a digital health system—and increasingly, they’re being fed into artificial intelligence tools. Radiology is one of the fastest adopters of AI, with major conferences like the Radiological Society of North America (RSNA) showcasing hundreds of new models each year. But a recent presentation at RSNA 2025/2026 warned that the privacy side of this fast-moving field is not keeping up. For patients, that means there are real, non-obvious ways your medical images could be exposed or misused.

What Happened

At a session during the RSNA annual meeting, researchers and privacy experts detailed what they called a “Pandora’s box” of risks tied to AI in medical imaging. The full report, published by RSNA in May 2026, highlights several specific vulnerabilities:

  • Metadata leaking identity. Medical images are often stored with embedded metadata—name, date of birth, facility, and even physician notes. Even when “de-identified,” some of this data can persist or be re-extracted.
  • AI model inversion. Some deep learning models can reconstruct recognizable faces or bodily features from de-ified image sets. This is not theoretical; it has been demonstrated in research.
  • Unauthorized sharing for training. Third-party AI vendors sometimes receive large batches of imaging data for model training. The contracts and oversight on those transfers are not always strong enough to prevent misuse or accidental breaches.

The report does not claim that such incidents are widespread yet, but it stresses that the infrastructure for protecting patient data has not evolved alongside the rapid deployment of AI tools.

Why It Matters

Medical images are not just generic data—they are uniquely identifiable. Your skull shape, your spine alignment, even your ear geometry can be used to match images back to you, even if your name is stripped. That is why HIPAA treats medical images as protected health information.

The concern is not that AI is inherently dangerous, but that the privacy safeguards designed for static records and film do not apply well to machine learning workflows. For example:

  • When a hospital sends scans to a cloud AI service, who exactly has access? The vendor’s engineers, data scientists, and perhaps subcontractors.
  • If an AI model is later published or shared, could someone run a “reconstruction attack” on it to pull out original images? Researchers have shown it is possible in controlled settings.
  • Data breaches involving medical imaging databases have already happened. In one well-publicized case, a radiology AI vendor stored scans on an unprotected server, exposing millions of records.

Regulators are aware. The FDA reviews AI tools for safety and effectiveness but has not historically focused on downstream data privacy. HHS (which enforces HIPAA) has issued guidance but enforcement has been uneven, especially when data crosses to third parties.

What Readers Can Do

You do not need to be a technologist to reduce your risk. Here are practical steps, framed as questions you can ask:

  1. Ask your provider: “Who has access to my imaging data besides your hospital?”
    Many radiology departments work with AI vendors. You have a right to know which companies, and whether your data is anonymized before it leaves the hospital.

  2. Inquire about the de-identification process.
    “De-identified” can mean different things. Ask if metadata like your name, date of birth, and scanner location are fully removed before any external use. A simple question can prompt the office to review its practices.

  3. Read the notice of privacy practices.
    HIPAA requires every provider to give you a document explaining how your data can be used. Look for language about “research” or “business associates” that may permit sharing with AI companies.

  4. Opt out if your provider allows it.
    Some hospitals let you restrict use of your data for research or AI training. It may not apply to all uses, but it is worth asking.

  5. Be cautious about sharing images with online services.
    Avoid uploading your scans to third-party “AI diagnostic” websites unless you are certain about their privacy policy and security.

Sources

  • Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks, Radiological Society of North America (RSNA), May 20, 2026.
  • RSNA 2025 Technical Exhibits – Largest Radiology AI Showcase, RSNA, September 2025.
  • Additional coverage from radiology and health IT outlets discussing AI de-identification challenges and prior data breaches.

The science of AI in imaging holds real promise for catching diseases earlier. But that progress should not come at the cost of your privacy. Understanding these risks is the first step toward ensuring your medical images are used only in ways you can trust.