Medical Imaging AI: What Patients Should Know About Emerging Privacy Risks

Artificial intelligence is making its way into radiology departments across the country, helping doctors spot tumors, fractures, and other abnormalities faster than ever. But that same technology introduces new ways your medical images — and the personal information attached to them — could be exposed or misused. A recent special report from the Radiological Society of North America (RSNA) warns that medical imaging AI opens what it calls a “Pandora’s box” of privacy-related risks. For patients, understanding these risks is the first step toward protecting your health data.

What Happened

In May 2026, the RSNA published a detailed report outlining several privacy vulnerabilities tied to the use of AI in medical imaging. The report draws attention to the fact that AI systems often require vast amounts of data — including CT scans, MRIs, and X‑rays — to train and validate their algorithms. When these images are shared with third parties, de‑identification techniques that once seemed adequate may no longer be sufficient.

The RSNA report specifically flags the risk of re‑identification: even when personal identifiers like name and date of birth are stripped, AI tools can sometimes infer sensitive information from the image itself. For example, facial features reconstructed from a head CT could potentially be matched to public databases. The report also notes that some imaging centers and hospitals already have policies that allow sharing de‑identified data for AI research without explicit patient consent — a practice many patients are unaware of.

Why It Matters

Medical images contain layers of information far beyond the clinical diagnosis. They can reveal body shape, age, sex, and even hints of genetic conditions. Once an image leaves your healthcare provider’s control, you have very little say over how it is used.

There are three main privacy threats to consider:

  • Re‑identification: Advances in AI make it easier to link supposedly anonymous images back to specific individuals by cross-referencing with other available data.
  • Data breaches: Imaging repositories are attractive targets for attackers because of the volume of personal data they hold. A breach could expose not only the images but also linked health records.
  • Secondary use without your knowledge: Many institutions write broad consent clauses into their standard paperwork. You may be agreeing to let your images be used for AI training, commercial algorithm development, or shared with research partners — often without a clear explanation of who gets access or for how long.

Current federal law, primarily HIPAA, has gaps when it comes to AI. HIPAA covers how your data is handled by covered entities (hospitals, insurers), but it does not clearly regulate what happens once de‑identified data is transferred to a third‑party AI developer. There are no comprehensive federal laws specifically addressing AI privacy in medical imaging as of mid‑2026.

What Readers Can Do

You don’t have to be passive about your medical image privacy. Here are concrete steps you can take before and after a scan:

  1. Ask upfront about AI use. When your doctor orders an imaging exam, ask the facility: “Will AI be used to analyze my images? If so, what happens to my images after the analysis?” Radiologists and imaging centers should be able to provide a straightforward answer.

  2. Request the facility’s data-sharing policy. Ask for a copy of their notice of privacy practices and specifically inquire whether your images may be shared with third parties for AI training. Some centers now include this language in general consent forms.

  3. Understand the difference between de‑identification and anonymization. De‑identification is not permanent; with enough computing power and auxiliary data, re‑identification may be possible. If a policy claims your data is “de‑identified,” ask what method they use and whether they guarantee it can’t be reversed.

  4. Opt out of research databases where possible. Many hospitals allow you to restrict use of your data for research. This is often an opt‑out provision, meaning if you don’t say no, your images may be included. Look for a “research data use” checkbox on your intake forms and decline if you’re uncomfortable.

  5. Know your state laws. Some states have additional privacy protections beyond HIPAA. California, for example, gives residents more control over how their health data is used. Check if your state has laws that require explicit consent for sharing medical images.

Sources

  • Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” RSNA Special Report, May 20, 2026. [Link to RSNA news article]
  • RSNA. “Special Report Highlights LLM Cybersecurity Threats in Radiology.” May 14, 2025.
  • U.S. Department of Health and Human Services. “HIPAA Privacy Rule and Sharing Information Related to Artificial Intelligence.” (Ongoing guidance updates.)

Staying informed is the most effective safeguard. As AI in radiology continues to evolve, so will the privacy landscape. Ask questions, read your consent forms carefully, and don’t hesitate to push back when a facility can’t give clear answers about your data.