What Patients Need to Know About AI Privacy Risks in Medical Imaging

Artificial intelligence is increasingly used to read X-rays, CT scans, and MRIs. The promise is real: faster diagnoses, fewer missed findings, and more consistent interpretation. But a recent report from the Radiological Society of North America (RSNA) warns that these tools also open the door to privacy risks that many patients and even some clinicians are not fully aware of.

If you’ve ever had a medical image taken, that image—and the data embedded in it—could be used to train or validate AI systems. The question is whether your consent was obtained, how well your identity is protected, and what happens if that data is ever compromised.

What the RSNA Report Reveals

In a special publication, RSNA highlighted that AI introduces “unprecedented” privacy threats in medical imaging. Unlike traditional use of images for diagnosis, AI systems often require large datasets that are shared across institutions or with third-party vendors. Even when images are de-identified (names and ID numbers removed), researchers have shown that facial features in 3D scans or unique anatomical markers can sometimes be used to re-identify individuals. The report also notes that the metadata attached to images—such as machine settings, timestamps, and facility IDs—can leak personal information when combined with other data sources.

The problem is not hypothetical. In 2023, a major health system reported a data breach involving an AI vendor that had access to thousands of chest X-rays. Some vendors store or process images on cloud servers that may not meet the same security standards as hospital networks. And unlike a stolen credit card number, a medical image cannot be reissued.

Why It Matters for Patients

Most patients assume their medical data is protected by HIPAA in the United States or similar laws elsewhere. That is only partially true when AI is involved. HIPAA covers how health care providers handle your data, but it does not fully control what happens once images are sent to an AI company that may not be a “covered entity.” Many hospitals require patients to sign broad consent forms at admission that allow use of de-identified data for research and quality improvement—language that is now being stretched to include commercial AI development.

The consequence is that your scan might become part of a training set for an AI model that is later sold or used by other organizations. While the intent is usually benign—better algorithms—the lack of transparency and the possibility of re-identification create real risks. If your employer, insurer, or others obtain information about your health through a data leak, you could face discrimination or financial harm.

What Patients Can Do

You do not need to avoid AI-enhanced imaging. But you can take practical steps to protect your data:

  • Ask before you scan. When your doctor recommends an imaging study, ask: “Is AI used to interpret this image, and if so, who has access to the data?” The front desk may not know, but you can ask to speak with the radiology department or the privacy officer.
  • Read the consent form carefully. Many forms include a blanket permission to use your data for “secondary purposes.” Ask exactly what that means and whether you can opt out of AI training without affecting your care.
  • Opt out where possible. Some imaging centers now allow you to refuse data sharing for AI research or commercial use. If they say no, you can ask why. In some cases, you may choose a different facility.
  • Inquire about de-identification. Ask whether images are stripped of facial features and metadata before being shared. The RSNA report stresses that simple de-identification is not always enough—look for assurances that they use techniques like “defacing” algorithms and metadata removal.
  • Watch for opt-out rights in your patient portal. Some hospitals post notices about data use for AI in their online portals. Check for settings that let you restrict data sharing.

The Bigger Picture

Regulators are still catching up. The US Food and Drug Administration oversees AI as a medical device, but privacy is handled by separate agencies. The RSNA report is partly a call for stronger standards—such as requiring patient consent before using images for AI training and mandating security audits for vendors. Until those rules are in place, the responsibility largely falls on patients to ask questions.

The goal is not to scare you away from advanced imaging. AI can catch cancers and other conditions earlier. But the same technology that benefits you also creates new ways for information to travel beyond your control. Knowing the risks is the first step toward keeping your health data yours.

Sources: Radiological Society of North America, Special Report on AI Privacy Risks in Medical Imaging (2025); RSNA special report on LLM cybersecurity threats in radiology (2025).