New Study: Medical AI Puts Some Patients’ Privacy at Greater Risk – What to Do

If you’ve used an AI-powered symptom checker, a telehealth platform, or a mental health chatbot recently, your medical data may have ended up in places you didn’t expect. A study published in July 2026 by Telehealth.org found that not all patients face the same level of data exposure risk when using medical AI tools. Some groups are significantly more exposed than others.

This article explains what the study found, why the disparity matters, and—most importantly—what you can do to protect your health information.

What happened

The Telehealth.org study examined how different types of patients are affected when medical AI systems collect, store, and share data. While the full methodology hasn’t been publicly detailed, the researchers identified clear patterns: certain patient groups, such as those using direct-to-consumer AI health apps, people managing chronic conditions, and individuals with lower digital literacy, face higher risks of data exposure.

The study didn’t name specific apps or providers, but the pattern aligns with other recent findings. For example, a May 2026 report from Trend Micro revealed that thousands of medical imaging servers (DICOM servers) remain exposed online, many of which feed into AI diagnostic tools. Meanwhile, the HIPAA Journal’s June 2026 healthcare breach statistics showed that breaches involving business associates—third-party AI vendors—are growing faster than breaches at hospitals themselves.

Why it matters

The underlying problem is not that AI is inherently dangerous. The problem is that data handling practices vary widely. Some medical AI tools are developed by startups with limited security budgets, some share data with third parties for model training without clear consent, and some store information in ways that make it vulnerable to breaches.

Patients who are less familiar with privacy settings are less likely to opt out of data sharing. Patients with chronic conditions generate more data, which means more exposure if a breach occurs. And patients who rely on free or low-cost AI health services often have fewer protections because those services monetize data differently.

The APA’s November 2025 health advisory on generative AI chatbots for mental health specifically warned that many wellness apps do not comply with healthcare privacy laws like HIPAA, even when they claim to be “therapeutic.”

What readers can do

You don’t need to stop using medical AI. But you should take these steps to reduce your risk.

Ask before you use. Before signing up for an AI-powered health service, ask the provider: Is this tool covered by HIPAA? Is my data used to train the AI model? Can I request deletion of my data? A legitimate service should answer clearly. If they don’t, consider it a red flag.

Check the privacy policy—for real. Most people skip this. Focus on sections about “data sharing,” “third parties,” “research,” and “deletion rights.” If the policy is vague or says they can share data with “affiliates” or “partners” without listing them, assume your data will be shared.

Limit what you share. Do not give an AI tool more information than necessary. For example, if you’re using a symptom checker, you probably don’t need to provide your full name, address, or insurance ID. Use the minimum required.

Use strong, unique passwords. If a health app gets breached, the first thing attackers try is reusing credentials. Use a password manager and enable two-factor authentication whenever offered.

Opt out where possible. Some services let you disable data collection for model training or marketing. Look for a “privacy settings” menu or a “Do Not Sell My Personal Information” link (in the U.S., some are required under state laws like the California Consumer Privacy Act).

Watch for warning signs. Unexpected charges, unexplained changes in treatment recommendations, or notifications that your data was accessed from an unknown location could indicate misuse.

Stay informed about regulation. The National Academy of Medicine’s February 2025 report on AI in health settings recommended stronger oversight for non-clinical AI tools. Regulatory action may take years, but knowing what’s being proposed—such as federal privacy standards for health AI—helps you hold providers accountable.

Sources

  • Telehealth.org, “Medical AI Privacy Study Finds Some Patients Face Greater Data Exposure Risks,” July 2026.
  • HIPAA Journal, “Trends In Healthcare Data Breach Statistics,” June 2026.
  • Trend Micro, “A Hidden Vulnerability in Healthcare: Exposed DICOM Servers and the Risk to Patient Data,” May 2026.
  • American Psychological Association, “Health advisory: Use of generative AI chatbots and wellness applications for mental health,” November 2025.
  • National Academy of Medicine, “Advancing Artificial Intelligence in Health Settings Outside the Hospital and Clinic,” February 2025.