The Hidden Privacy Costs of AI in Medical Imaging: What Every Patient Should Know

Artificial intelligence is reshaping radiology. Algorithms can now spot tumors, measure organ volumes, and flag abnormalities faster than many radiologists. That promises better outcomes. But there is a less visible trade-off: your medical images are becoming far more valuable—and vulnerable—than their pixels suggest.

A recent special report from the Radiological Society of North America (RSNA) warns that privacy protections have not kept pace with AI adoption in imaging. As AI tools proliferate, the same data that helps diagnose disease can also be used to identify, profile, and even track you.

What happened

Medical images are not anonymous. A CT scan of the head contains enough facial geometry to reconstruct a recognizable three-dimensional face. A chest X-ray reveals body shape and bone structure. A 2023 study found that more than 90 percent of supposedly de-identified CT scans could be re-identified using off-the-shelf facial recognition AI.

Beyond re-identification, AI can infer sensitive traits from images—age, sex, race, and even genetic predispositions—without those details being explicitly recorded in the medical record. This means an X-ray taken for a broken wrist could, through AI analysis, reveal information about a patient’s likelihood of osteoporosis, heart disease, or certain cancers.

The RSNA report highlights that hospitals and imaging centers often share de-identified images for research or algorithm training. But standard de-identification methods (removing names, dates, and ID numbers) are no longer sufficient. AI can reassemble the missing data from the image content itself.

Why it matters

Once your medical images leave a hospital’s control, they can be used for purposes you never consented to. Potential risks include:

  • Unauthorized data sharing. Images uploaded to cloud-based AI services may be stored, analyzed, or sold by third parties.
  • Employment and insurance discrimination. Inferred health conditions could affect job offers or coverage rates if data brokers acquire them.
  • Surveillance. Law enforcement or other entities could match images from hospital databases with public facial recognition systems.
  • Stigma. Patients with rare or sensitive conditions (e.g., HIV-related imaging, gender-affirming surgery scans) face particular exposure.

Current regulations like HIPAA (in the U.S.) and GDPR (in Europe) have gaps. HIPAA covers traditional identifiers but not the re-identification risk embedded in image pixels. GDPR gives individuals rights over their data, but enforcement across international research collaborations is uneven.

What readers can do

For patients:

  • Ask before you scan. When your doctor orders an imaging exam, ask: “Will my images be used to train AI? If so, are they fully de-identified? Can I opt out?”
  • Read consent forms carefully. Many imaging centers include a broad research consent clause. You can usually decline without affecting your care.
  • Request a data-use notice. Under HIPAA, you have the right to know how your medical data is used and shared. If the answer is vague, consider choosing a provider with clearer policies.
  • Monitor for breaches. Healthcare data breaches are common. Use services like Have I Been Pwned or check your health provider’s breach notification page.

For healthcare professionals and administrators:

  • Adopt stronger de-identification. Standard removal of tags is not enough. Use techniques like defacing software that removes facial features from head scans before sharing.
  • Implement differential privacy. Add controlled noise to aggregated imaging data so that individual contributions cannot be inferred.
  • Use federated learning. Train AI models across multiple sites without moving the raw images—only model updates are shared, reducing exposure.
  • Maintain audit logs. Track who accesses imaging data, when, and for what purpose. Flag unusual queries.
  • Be transparent with patients. Explain in plain language what happens to their images after diagnosis. Offer a clear opt-out.

No single safeguard is perfect, but layered protections make exploitation much harder.

Sources

  • Radiological Society of North America (RSNA) special report on AI privacy risks in radiology (2025).
  • Study on CT scan re-identification using facial recognition AI (2023). Published in Health Affairs (cited widely in RSNA report).
  • U.S. Department of Health and Human Services guidance on HIPAA and de-identification.

AI in medical imaging is not going away, nor should it. The technology saves lives. But every patient deserves to know that when they lie still in a scanner, their image may outlast the diagnosis—and that someone else may be looking at it. Until regulations catch up, asking questions is the best defense.