Your Medical Images Could Be Used to Train AI—Here’s How to Protect Your Privacy

If you’ve ever had an X-ray, MRI, or CT scan, those images are stored digitally. What you may not realize is that they’re also very valuable for training artificial intelligence systems in radiology. AI can help detect tumors, fractures, and other conditions faster than humans in some cases. But that usefulness comes with privacy risks that are only now becoming clearer.

Recent reports from the Radiological Society of North America (RSNA) show that AI in medical imaging is advancing rapidly—and so are the ways patient data can be misused. Two developments stand out: the 2025 technical exhibits featured the largest showcase of radiology AI to date, and a 2026 study demonstrated that deepfake X-rays can fool both radiologists and AI algorithms. These findings raise serious questions about how your medical images are being used and protected.

What happened

At RSNA 2025, dozens of vendors displayed AI tools designed to analyze medical images. The trend is unmistakable: hospitals and imaging centers are adopting AI to improve diagnosis and workflow. That means your scans may be used to train or test these systems, often after being “de‑identified” (stripped of your name, date of birth, and other direct identifiers).

Then came the 2026 research. Researchers created synthetic X‑rays using generative AI—so realistic that radiologists could not reliably tell them from real ones. Worse, the same deepfakes fooled several AI diagnostic models. This isn’t just a lab curiosity. It shows that malicious actors could fake medical images for insurance fraud, identity theft, or to alter a patient’s record. And if the AI models themselves can’t tell real from fake, the entire diagnostic process becomes vulnerable.

Why it matters

Medical images are more than just pictures. They contain unique patterns—bone structure, blood vessel layout, even subtle marks that can potentially identify a person even after direct identifiers are removed. Researchers have shown that de‑identified medical data can sometimes be re‑identified by cross‑referencing it with public databases. So the common promise of “we remove your name, so it’s safe” is not foolproof.

HIPAA offers some protection. It restricts how healthcare providers use your health information, including images. But HIPAA does not always cover every use case: if your images are shared with a company developing AI (e.g., a cloud vendor or a startup), those entities may not be directly bound by HIPAA unless they sign a business associate agreement. Even then, enforcement is limited, and many patients never give explicit consent for their scans to be used in AI training.

Add deepfake risks to the mix, and the picture gets even more complex. A fake X‑ray inserted into a medical record could alter a diagnosis, delay treatment, or be used to file fraudulent insurance claims under your name.

What you can do

You don’t have to accept this situation passively. Here are concrete steps to reduce the risk:

  • Ask your provider about data use. Before an imaging procedure, ask the radiology department or your doctor: “Will my images be used to train AI? If so, whose AI—the hospital’s own system, or a third‑party vendor?” Many hospitals have written policies, but they aren’t always volunteered.

  • Request an opt‑out. Some facilities allow you to refuse the use of your images for research or commercial AI development. This might be part of a general consent form, so read carefully. If you don’t want your data shared for training, say so explicitly. Your right to opt out is not guaranteed everywhere, but asking can’t hurt.

  • Choose a provider with strong privacy practices. When you have a choice (for elective scans or second opinions), look for hospitals that publish clear privacy policies regarding AI and data sharing. Some have committed to not sharing data without explicit consent. This information is sometimes available on their website or by calling the privacy officer.

  • Pay attention to consent forms. Don’t just sign quickly. If a form includes language about “using your data for research and quality improvement,” that often includes AI training. Ask for clarification or cross out sections you’re not comfortable with. In most jurisdictions, you can refuse to sign those parts while still receiving the clinical service.

  • Stay informed. The regulatory landscape is evolving. Proposed laws in some states would require tighter consent for AI training in healthcare. Following organizations like the Electronic Frontier Foundation or the Patient Privacy Rights network can help you stay up to date.

The big picture

Medical imaging AI holds real promise. It can catch cancers earlier and reduce radiologist workload. But that promise should not come at the cost of patient privacy. The RSNA deepfake study is a sobering reminder that once your scan enters an AI training set—or an insecure database—you lose control over it. And while hospitals and vendors have a responsibility to build secure systems, patients have rights and options that many don’t use.

Before your next scan, ask a few questions. The answers may give you more control than you think.

Sources

  • RSNA 2026: Deepfake X‑Rays Fool Radiologists and AI. Radiological Society of North America, March 2026.
  • RSNA 2025 Technical Exhibits Feature Largest Radiology AI Showcase. RSNA, September 2025.
  • RSNA: “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” RSNA, May 2026.

This article is for informational purposes only and does not constitute legal or medical advice.