Your Medical Images Are Being Analyzed by AI: What You Need to Know About Privacy Risks

The Radiological Society of North America (RSNA) recently published a report that puts a spotlight on a growing concern: the same artificial intelligence tools that help radiologists detect cancers and other diseases can also expose patients’ most sensitive health data to new privacy risks. If you’ve had an MRI, CT scan, or X-ray in the past few years, there’s a good chance an AI system helped review it. What many patients don’t realize is how that data travels and who may have access to it along the way.

What happened

In May 2026, RSNA issued a report titled Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks. The report draws attention to the rapid adoption of AI in radiology and highlights several vulnerabilities. Medical images are often sent to cloud servers for analysis by third-party AI vendors. Even when images are stripped of obvious identifiers like names and dates of birth, researchers have shown that re-identification is possible using facial recognition algorithms or by matching metadata such as scan location and rare anatomical features. The report also notes that patients are rarely told when their images are used for training or refining AI models, and that consent processes have not kept pace with the technology.

Why it matters

Medical imaging data is uniquely personal. A chest X-ray isn’t just a picture of your lungs – it can reveal your age, sex, body shape, and sometimes even your identity through facial contours or dental patterns. If this data is leaked, misused, or sold, the consequences go beyond embarrassment. Health data can be used for insurance discrimination, employment decisions, or targeted scams. Unlike a credit card number, you cannot change your medical history.

The RSNA report is especially timely because AI tools are being rolled out in hospitals and clinics at a pace that often outstrips the privacy policies designed to govern them. Under U.S. law, HIPAA covers only certain “covered entities” (providers, insurers, and their business associates), but it may not apply to all third-party AI vendors or to the de-identified data sets they create. In Europe, GDPR offers stronger protections, but enforcement remains inconsistent. The result is a patchwork of rules that leaves many patients in the dark.

What readers can do

You don’t need to become a privacy expert to take practical steps. Here are five concrete actions:

  1. Ask your doctor or imaging center whether they use AI. This should be a routine question, like asking who will read your scan. If they do use AI, ask what company provides it, where the data is processed, and whether any images are stored outside the facility’s network.

  2. Request information about data retention and deletion. Under HIPAA, you have the right to request an accounting of disclosures and to ask that your data be deleted when it is no longer needed for treatment or payment. Some providers may have policies that automatically retain images for years; you can ask for limits.

  3. Avoid posting medical images on social media or sharing them with unverified apps. A CT scan or ultrasound image can reveal far more than you think. Even if you crop out your name, metadata may still be present. For the same reason, be cautious about using “free” health apps that claim to analyze your photos or scans.

  4. Monitor for data breaches. The Department of Health and Human Services maintains a public list of health data breaches involving 500 or more individuals. You can check whether your provider has reported one. If you receive a breach notice, read it carefully – it should explain what type of data was exposed and what steps you can take.

  5. Consider exercising your rights under state privacy laws. A growing number of U.S. states (California, Colorado, Virginia, and others) give residents the right to access, delete, or opt out of the sale of their personal data. These laws often cover health information, even when HIPAA does not.

Sources

  • Radiological Society of North America, “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” May 2026.
  • U.S. Department of Health and Human Services, “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.”
  • National Institute of Standards and Technology, “De-Identification of Personal Information,” NISTIR 8053.

This article is intended for informational purposes only and does not constitute legal or medical advice. Privacy regulations vary by jurisdiction, and you should consult a qualified professional for guidance specific to your situation.