What Patients Should Know About Privacy Risks in Medical Imaging AI
When you go in for an X-ray, MRI, or CT scan, you probably assume the images stay between you and your doctor. That’s becoming less certain. Artificial intelligence is now regularly used to help interpret radiology images, and with that shift comes a new set of privacy risks that patients rarely hear about.
A recent report from the Radiological Society of North America (RSNA) lays out these concerns plainly. Here’s what you need to know and what you can do about it.
What happened
The RSNA article examines how AI systems in medical imaging rely on large datasets—often built from patient scans—to learn and improve. These datasets can include thousands of images, sometimes pulled from multiple hospitals or even purchased from third-party vendors. The article warns that current practices around de-identification, data sharing, and consent may not be adequate.
Specifically, it points to several risks:
- Re-identification. Removing names and dates from an image is not enough. Researchers have shown that facial features, bone structure, or even metadata can still be used to link a scan back to a specific person.
- Unauthorized secondary use. Scans collected for one purpose (say, a research project on lung cancer) may later be used to train a commercial AI product for a completely different condition.
- Weak consent processes. Patients often sign blanket consent forms that don’t clearly explain how their images will be stored, shared, or sold.
- Third-party access. Hospitals and imaging centers frequently contract with outside AI vendors. The vendor may retain copies of the data, and the patient may have no knowledge of that arrangement.
Why it matters
Medical images are intimate. They reveal not only your anatomy but also clues about your age, sex, genetic markers, and sometimes even your identity. Unlike a credit card number, a CT scan cannot be reissued. Once your medical images are out in the wild—used to train an AI or sold to a data broker—you have almost no way to get them back.
The stakes are especially high for people with rare diseases, distinctive physical features, or high-profile conditions. But the risk applies to everyone. Under current U.S. law (HIPAA), your medical data is protected only when it includes certain “direct identifiers” like your name or Social Security number. Once those are stripped, the data is no longer considered protected—even if it can still be linked back to you by other means. The European Union’s GDPR offers stronger protection, but enforcement remains uneven, and many healthcare systems operate across borders.
The RSNA article is not alarmist—it calls these risks “emerging” and notes that the benefits of AI in radiology are real. But it also stresses that patients and providers need to address privacy gaps now, before the technology becomes even more embedded.
What readers can do
You don’t have to be a privacy expert to protect yourself. Start by asking a few straightforward questions the next time you’re scheduled for an imaging exam.
- Will AI be used to analyze my images? Some centers will say “yes” outright. If they don’t know, ask to speak with the radiology department or privacy officer.
- Who else will have access to my images? Find out if the facility works with an outside AI vendor. If so, ask how that vendor stores and protects the data, and whether they sell or share it with other companies.
- Can I opt out? In many cases, you have the right to refuse to have your images used for AI training or research. Your clinical care should not be affected.
- What de-identification methods are used? Look for “expert determination” (HIPAA’s de-identification standard) or “safe harbor” (removing 18 specific identifiers). But understand that even these methods have limitations.
- Read the consent form carefully. If it contains vague language like “may be used for research or quality improvement,” ask for specifics. You have the right to a clear explanation.
For patients in Europe, your rights under GDPR are broader. You can request that your data not be used for anything beyond your direct care, and you can ask for details about any third-party access.
Sources
- Radiological Society of North America (RSNA), “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” May 2026. (Full article available at RSNA.org)
- National Institutes of Health / U.S. Department of Health and Human Services, HIPAA Privacy Rule and De-Identification Standards.
- General Data Protection Regulation (GDPR), Articles 9 and 22 (special categories of personal data, automated decision-making).
If you have concerns, the best first step is to talk to your provider. Radiology practices and hospital privacy officers are increasingly aware of these issues, and many are willing to give straight answers. You are not being difficult—you are being informed.