What Medical Imaging AI Means for Your Privacy – And How to Protect It

Artificial intelligence is increasingly used to read X‑rays, CT scans, and MRIs. It can spot tumors, measure blood flow, and speed up diagnosis. But as AI becomes more common in radiology, a quieter issue has emerged: these images contain far more data than doctors typically see, and some of that data can be used in ways patients never expected.

In May 2026, the Radiological Society of North America (RSNA) published a report that laid out the privacy risks clearly. This article covers what that report says, why it matters to you, and what you can do to protect your own medical imaging data.

What Happened

The RSNA report, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” was published on May 20, 2026. It warned that AI models trained on medical images can inadvertently extract personal details—like a person’s facial structure, body measurements, or even approximate age—from scans that were never meant to reveal them. A chest CT, for example, contains enough information to reconstruct a 3D model of the face. If that model is linked to a name or medical record number, it could be used for facial recognition or other identity matching.

The report also flagged that many AI systems are developed or hosted by third‑party vendors. When your hospital sends images to a vendor’s cloud servers for AI analysis, the vendor may store, process, or further share that data in ways you cannot control. Current privacy laws like HIPAA (Health Insurance Portability and Accountability Act) were written for a world without AI and often do not address these new re‑identification risks.

Why It Matters to Patients

Most people assume their medical images are protected just like any other health record. In practice, the picture is more complicated.

Re‑identification risk. Even after a scan is stripped of your name and date of birth, an AI can sometimes match it to a public database using facial features or bone structure. This is different from a traditional data breach—here, the privacy risk comes from the data itself, not from a lost laptop.

Bias and discrimination. AI models trained on images from certain populations may perform poorly on others. If your scan is used to train a model without your knowledge (or consent), it may later be used in ways that affect insurance or employment decisions. How exactly this could happen is still being studied, but the risk is real enough that the RSNA urged hospitals to be transparent about data use.

Vendor access. When you agree to an AI‑assisted scan, you are often also agreeing (through a generic consent form) to let a third‑party company see your images. That company may use the data for algorithm improvement, research, or other purposes. The RSNA report noted that many patients are never told which vendors are involved or what the vendor does with the data after analysis.

How AI Models Actually Use Medical Images

To understand the risk, it helps to know a little about how medical AI works. Most systems are trained on thousands of labeled images—for example, CT scans already marked with “normal” or “cancer.” During training, the AI learns patterns that correlate with disease. But it also learns patterns that have nothing to do with disease, such as the shape of a patient’s skull, the distance between their eyes, or subtle variations in body composition.

Researchers have shown that AI can extract these “ancillary” features with high accuracy. If the training data is large enough, the AI may even be able to predict a patient’s sex, age, or ethnicity—information that can later be used to re‑identify someone when combined with other data sets.

Real‑World Examples (from the RSNA Report)

The RSNA report cited several studies and incidents:

  • A 2023 study found that a standard brain MRI could be used to identify people by matching facial features to a driver’s license database. The matching accuracy was over 80% for high‑resolution scans.
  • In 2024, a major hospital system discovered that an AI vendor had been retaining copies of chest X‑rays for “algorithm maintenance” even after the contract ended. The vendor eventually deleted the data, but the breach of trust raised questions about oversight.
  • Another case involved a cloud AI service that processed mammograms. Raw images were temporarily stored on servers outside the hospital’s network, and two days of data were exposed during a security incident. No patient harm was reported, but the incident highlighted that traditional HIPAA business associate agreements may not cover all vendor actions.

What You as a Patient Can Do

You do not have to accept every risk passively. Here are practical steps you can take before your next imaging exam.

  1. Ask what AI is being used. Before a CT or MRI, ask your doctor or the radiology department: “Will an AI system analyze my images? Which company provides that AI?” Most hospitals have a list of approved vendors—they can share the names.

  2. Ask about data retention. “How long does the vendor keep my images? Are they used for training?” If the answer is vague, request a written explanation. Some hospitals have specific policies that allow you to opt out of data sharing for AI development.

  3. Request anonymization where possible. For non‑diagnostic uses (such as research or algorithm improvement), ask that your images be anonymized at the highest level—de‑facing, removal of all metadata, and use of federated learning (where the AI trains on the hospital’s computers without images leaving the building).

  4. Read the consent form carefully. Many imaging consent forms have a clause about “use of data for quality improvement or research.” You can cross out that clause or write “I do not consent to the use of my images for training AI” before signing. Legally, that should be binding, but enforcement varies by state.

  5. Know your rights. Under HIPAA, you have the right to request an accounting of disclosures—who saw your health data and why. This includes third‑party AI vendors. You also have the right to request that your images be deleted from vendor systems after analysis, though hospitals are not always required to comply if the data is needed for clinical care.

HIPAA (US) covers medical images as “protected health information,” but it was written in 1996, long before AI could extract facial features. The Department of Health and Human Services has not issued specific guidance on AI re‑identification. The RSNA report called for updated rules that require explicit consent before images are used for AI training.

In Europe, the GDPR (General Data Protection Regulation) offers stronger protections. Medical images are considered “special category data,” and any AI processing requires explicit consent or a lawful basis such as scientific research. GDPR also gives patients the right to data portability and erasure, which can apply to images stored by vendors.

Still, gaps exist everywhere. No regulation fully addresses the risk that an AI can derive information (like facial geometry) that the patient never intended to share.

Future Outlook: Possible Solutions

Researchers and policymakers are exploring technical fixes. Federated learning allows AI models to train across multiple hospitals without moving the images—only the model parameters are shared. This drastically reduces exposure. Some hospitals are already piloting this approach.

Differential privacy adds random noise to model training so that individual images cannot be reconstructed. Early results show it can protect privacy without sacrificing too much accuracy.

But these tools are not yet standard. Until they are, the burden falls on patients to ask questions and on providers to be transparent.

Conclusion

Medical imaging AI can improve care—catching cancers earlier, reducing radiation doses, and cutting turnaround times. But the same technology creates privacy risks that many patients are unaware of. The RSNA report is a wake‑up call: the data in a scan goes far beyond the diagnosis. By asking the right questions and understanding your rights, you can reduce the chance that your images are used in ways you never agreed to.

Sources

  • “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks,” Radiological Society of North America, May 20, 2026. (accessed via Google News)
  • U.S. Department of Health and Human Services, HIPAA Privacy Rule, 45 CFR §164.501 et seq.
  • General Data Protection Regulation (EU) 2016/679, Articles 9, 20, and 22.
  • Research studies cited in the RSNA report on facial reconstruction from CT and MRI (2023, 2024).