Your Medical Scans and AI: New Privacy Risks You Need to Know

Medical imaging has become an essential diagnostic tool, and artificial intelligence is now helping radiologists detect diseases faster and more accurately. But the same technology that powers these advances also creates new vulnerabilities for your personal health data. Recent findings from the Radiological Society of North America (RSNA) illustrate how medical imaging AI opens a Pandora’s box of privacy-related risks that patients and providers alike need to take seriously.

What Happened

At RSNA’s 2025 annual meeting, researchers presented studies showing that AI models used in medical imaging can inadvertently expose sensitive patient information. One team demonstrated that deepfake X-rays—synthetic images generated by adversarial AI—can fool both experienced radiologists and automated detection systems. Another study highlighted model inversion attacks, where attackers use a trained AI model to reconstruct original patient images from its training data, effectively undoing the de-identification process.

These aren’t just theoretical risks. The researchers found that many public medical imaging datasets lack robust de-identification, making it possible to re-identify individuals by cross-referencing metadata or combining images with other data sources. In some cases, AI models themselves became a weak link, leaking clues about whether a specific patient’s scan was included in the training set (a so-called membership inference attack).

Why It Matters

The implications extend beyond simple data breaches. If an unauthorized party can reconstruct a realistic X-ray or MRI from an AI model, they could falsify a patient’s medical record, manipulate insurance claims, or even create convincing images for fraud. Deepfake X-rays, in particular, raise the stakes because they can mislead diagnosis and treatment decisions, potentially causing harm to patients.

Moreover, medical imaging data is highly sensitive. It can reveal not just physical conditions but also demographic details, genetic markers, and lifestyle information. Insurance companies, employers, or malicious actors might misuse this data to discriminate or harass. And while HIPAA provides protections for traditional medical records, it does not fully cover AI-generated synthetic data or the models themselves. Patients may not even know their scans are being used to train commercial AI systems, as consent and disclosure practices vary widely.

What Readers Can Do

As a patient, you are not powerless. Here are concrete steps to protect your medical imaging data:

  • Ask your provider about AI use. Request to know whether your scans will be used to train or validate AI models. Some hospitals offer opt-out options for research databases. If they don’t, ask if you can limit data sharing to only what is required for your care.

  • Understand your HIPAA rights. You have the right to request an accounting of disclosures of your protected health information. This can help you track who has accessed your imaging data. You can also request restrictions on certain uses, though providers are not always required to comply.

  • Opt out of research databases whenever possible. Many imaging datasets are collected through broad consent forms that allow future research use. Read the fine print. If you are uncomfortable, ask to opt out or withdraw your data from ongoing studies.

  • Ask about de-identification methods. Not all de-identification is equal. Ask your radiology department whether they strip metadata, use differential privacy techniques, or apply other safeguards before sharing images with third parties.

  • Monitor your medical records. Periodically check your patient portal for unexpected imaging records or suspicious activity. Report any discrepancies to your provider.

  • Stay informed about institutional policies. Some hospitals publish data governance policies online. Look for statements about AI training data practices and privacy protections. If the information isn’t clear, call the privacy officer.

Sources

  • RSNA 2025 technical exhibits and presentations on deepfake X-rays and model inversion attacks.
  • RSNA research on de-identification gaps in public medical imaging datasets.
  • Radiological Society of North America conference materials and press releases from 2025-2026.
  • HIPAA Privacy Rule, U.S. Department of Health and Human Services.