Medical Imaging AI: What Patients Need to Know About Privacy Risks
Intro
If you’ve had an X-ray, CT scan, or MRI in the past few years, there’s a good chance an artificial intelligence tool helped analyze the images. AI is being deployed in radiology departments to speed up readings, catch subtle findings, and reduce radiologist workload. That sounds promising. But a recent report from the Radiological Society of North America (RSNA) raises an uncomfortable question: at what cost to patient privacy?
The report, published in May 2026, warns that medical imaging AI creates a new set of privacy risks that existing regulations may not fully address. For patients, this means the scans you thought were confidential could be used in ways you never agreed to.
What happened
The RSNA report, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” outlines several scenarios where patient imaging data becomes vulnerable.
First, AI models need enormous datasets for training. Hospitals and imaging centers often share de-identified scans with researchers or companies building these models. “De-identified” is supposed to mean all personal details are stripped, but studies have shown that faces and even unique bone structures can be re-identified from scans. In some cases, metadata (like date of birth or location) remains attached.
Second, cloud-based AI processing is becoming common. Your scan may be sent to a third-party server for analysis. That transfer raises the usual data breach concerns: weak encryption, insider threats, or accidental exposure.
Third, consent forms for imaging often don’t mention AI. Patients sign a standard form allowing treatment and billing, but not separate permission for their images to be used in machine learning. The RSNA report points out that many patients are unaware this happens.
Why it matters
The core issue is that medical images are not just pictures—they contain biometric data. A CT scan of your skull holds enough detail to reconstruct your face. A chest X-ray reveals your unique lung structure. That information can be used to identify you even without your name attached.
Once an image is part of an AI training set, it may be redistributed, copied, or used in ways that are hard to reverse. A data breach at a cloud AI vendor could expose thousands of patients’ scans. Unlike credit card numbers, you can’t just cancel and get a new face.
Privacy breaches also have consequences beyond embarrassment. Health data is valuable on the black market—for insurance fraud, identity theft, or stalking. And because AI models are rarely transparent, you have no way to know where your images ended up.
Existing U.S. laws like HIPAA offer some protection, but they were written before AI was widespread. HIPAA covers how providers use and disclose health information, but it may not require consent for use in AI training if the data is de-identified. The problem, as the RSNA report notes, is that de-identification methods aren’t foolproof. There’s ongoing debate about whether current techniques are strong enough.
What readers can do
You can take steps to better control your medical imaging data. These won’t eliminate the risk, but they help you stay informed.
- Ask before you scan. When your doctor orders imaging, ask: “Will my images be used for any AI training or research? Can I opt out?” Not all facilities have a clear opt-out policy, but asking raises awareness.
- Read the consent form carefully. If it mentions sharing data for “research” or “educational purposes,” ask what that entails. Some forms include blanket permission. You have the right to request a modified version that limits use to your care only.
- Request a copy of your images. Many hospitals now provide access through patient portals. Keeping your own copy won’t stop them from being shared, but it gives you visibility into what exists.
- Inquire about data security. You can ask the imaging provider: “Which third-party AI services do you use? Where is my data processed and stored?” They may not have answers, but the question tells them patients care.
- Check for a privacy notice. Your provider should have a notice explaining data practices. Look for language about AI, machine learning, or cloud processing. If it’s vague, ask for clarification.
It’s also worth noting that some countries have stricter consent requirements under GDPR or similar laws. If you live in or are treated in the EU, you may have stronger opt-out rights.
Sources
The report referenced here is from the Radiological Society of North America (RSNA) and was published in May 2026. You can find it directly on their website under “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” Additional context on re-identification risks comes from prior academic research, notably studies on facial reconstruction from CT scans. The discussion of HIPAA limitations reflects ongoing commentary among health privacy experts.
This article is for informational purposes and does not constitute legal or medical advice. Privacy practices vary by institution and jurisdiction.