What Patients Should Know About Privacy Risks in Medical Imaging AI

Artificial intelligence is now routinely used to analyze X-rays, CT scans, and MRIs. These tools can help radiologists spot tumors, measure blood flow, and detect fractures faster than ever. But as AI systems train on vast collections of medical images, a new set of privacy risks has emerged. A recent report from the Radiological Society of North America (RSNA) describes the situation as a “Pandora’s box” of privacy-related concerns. This article explains what patients should understand, what is at stake, and what steps you can take.

What Happened

In May 2026, RSNA published an article highlighting the growing privacy risks associated with AI in medical imaging. The piece notes that the same features that make AI powerful—access to large datasets, the ability to extract patterns, and the need for diverse training examples—also create vulnerabilities. Key risks identified include:

  • Data breaches: Hospitals and imaging centers store large volumes of digital images. A breach could expose not only the images but also linked personal information.
  • Re-identification: Even after images are de-identified (names, dates, and ID numbers removed), researchers have shown that faces reconstructed from CT or MRI data can sometimes be matched to individuals. Body shape, bone structure, and even dental patterns may serve as quasi-identifiers.
  • Consent gaps: Many patients do not know that their scans may be used to train commercial AI algorithms. Consent forms often contain broad language about “research” or “quality improvement,” and patients rarely have a meaningful choice to opt out once the scan is done.

The RSNA article is part of a broader discussion happening in radiology, informatics, and policy circles. Similar concerns have been raised by the American College of Radiology and privacy advocacy groups.

Why It Matters

For most people, a medical scan is a routine part of a checkup or diagnosis. You expect the images to stay private and to be used only for your care. But when those images enter an AI training pipeline, the rules become less clear.

HIPAA (the Health Insurance Portability and Accountability Act) protects your “protected health information” (PHI) when it is held by a covered entity like a hospital. However, if images are stripped of 18 specific identifiers, they are considered de-identified and no longer subject to HIPAA. That means the data can be shared, sold, or used for AI training without your consent. The RSNA article and several academic papers have shown that de-identification is not always irreversible. Even without a name, a CT scan of your head contains enough unique anatomical detail to potentially link back to you through other databases.

There is also the question of secondary uses. A scan taken for a broken arm might later be used to train an algorithm for lung cancer screening—without you ever being asked. While this can improve medicine, it also means your images are sitting on servers you never authorized, sometimes in other countries.

If a breach occurs, the consequences can go beyond identity theft. Because medical images are highly personal, their exposure could lead to discrimination by employers or insurers, or cause deep emotional distress.

What Readers Can Do

You cannot fully control what happens to your medical images once they enter a large health system, but you can take practical steps to reduce your exposure.

  1. Ask before you scan. When your doctor orders an imaging test, ask the facility whether your images will be used for AI training or research. Some hospitals have begun offering an opt-out checkbox. If they say no, ask them to note that you do not consent. The request may not be honored everywhere, but it signals demand for transparency.

  2. Review consent forms. Read the fine print. If the form includes broad language about using your data for “research” or “algorithm development,” ask for clarification. You can also request to see the facility’s data-sharing policy.

  3. Use patient portals. If your hospital offers a patient portal, check what information is shared. Some portals let you see who has accessed your images and for what purpose. Report any suspicious activity.

  4. Stay informed about de-identification. Ask whether the facility uses certified de-identification methods and whether they conduct re-identification risk assessments. A reputable facility should be able to explain their process.

  5. Consider encryption. When you receive digital copies of your images (on a CD or via download), store them securely. Use strong passwords and avoid uploading them to cloud services that are not HIPAA-compliant.

  6. Support stronger laws. Current federal law does not require explicit consent for AI training once images are de-identified. Contact your representatives and ask them to support legislation that closes this gap. Some states are already moving in this direction.

Sources

  • Radiological Society of North America: “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks” (May 2026)
  • U.S. Department of Health and Human Services: HIPAA Privacy Rule and de-identification standards
  • Journal of the American Medical Informatics Association: Studies on re-identification risks from medical images
  • American College of Radiology: Statements on AI governance and data privacy

This is a fast-moving area. Regulations and hospital policies are still evolving. The best protection today is to ask questions, read the fine print, and stay aware of how your data may be used.