Your Medical Scans and AI: What You Need to Know About Privacy Risks
If you’ve ever had an X-ray, MRI, or CT scan, there’s a decent chance that image—and the health data attached to it—may be used to train artificial intelligence systems. AI is becoming a routine tool in radiology, helping doctors spot tumors, fractures, and other abnormalities faster. But this shift comes with a set of privacy risks that many patients don’t realize exist.
A recent presentation at the Radiological Society of North America (RSNA) 2026 meeting highlighted some of these vulnerabilities in plain terms: AI models trained on medical images can inadvertently leak sensitive information, and even de‑identified scans can sometimes be re‑identified using AI techniques. For patients, the implications are worth paying attention to.
The RSNA Report’s Key Findings
At the RSNA 2026 conference, researchers and privacy experts outlined several ways medical imaging AI can expose patient data. The presentation, reported by the RSNA itself, noted that AI systems can reconstruct identifiable features—such as facial contours or tattoos—from scan data that was supposed to have been anonymized. In some cases, metadata embedded in imaging files (like date, time, equipment ID, or patient initials) can be used to re‑identify individuals. And because many imaging AI tools are hosted on cloud servers or developed by third‑party vendors, the data may travel across jurisdictions with different privacy laws.
None of these risks are entirely new. Researchers have demonstrated re‑identification attacks on medical images for years. What has changed is the scale: as AI becomes more integrated into clinical workflows, the volume of images being processed—and the number of companies with access to them—is growing rapidly.
Why This Matters for Patients
The core issue is control. When you undergo a medical scan, you likely expect the images to be seen only by your doctor and perhaps a specialist. You probably do not expect them to be fed into a machine‑learning algorithm run by a private company you’ve never heard of.
Yet that is now common practice. Many hospitals and imaging centers partner with AI vendors to improve diagnostic accuracy. These vendors may retain copies of the images to refine their algorithms. While most contracts include data‑use restrictions and require de‑identification, the line between de‑identified and re‑identifiable is thinner than most people think. A 2025 study published in Nature Communications, for instance, showed that facial recognition algorithms could match 3D reconstructions from CT scans to publicly available photos with high accuracy.
Beyond re‑identification, there is also the risk of a straightforward data breach. Medical images are often stored in large digital repositories, and those repositories can be hacked. In 2024, a breach at a major cloud storage provider exposed millions of radiology images that included patient names, dates of birth, and other PHI.
For patients, the consequences could include insurance discrimination, identity theft, or exposure of sensitive health conditions. The uncertainty around how your images are used also makes it harder to give informed consent.
What You Can Do to Protect Your Data
You don’t have to avoid necessary medical imaging, but there are practical steps you can take to reduce your exposure.
Ask about data use policies. Before a scan, ask your provider whether your images will be used to train AI models. Some hospitals have opt‑out policies—you can request that your images not be included in research or AI training datasets. Not all institutions offer this, but it’s worth asking.
Request anonymization details. Ask what de‑identification methods are used. Simple removal of your name may not be enough. Look for terms like “expert determination” under HIPAA or “k‑anonymity” or “differential privacy.” If the staff can’t explain, that’s a red flag.
Limit data sharing. If you are asked to sign a release or consent form that mentions “research” or “algorithm development,” read it carefully. You can often opt out of any secondary use of your data without affecting your care.
Know your HIPAA rights. The Health Insurance Portability and Accountability Act gives you the right to access your medical records and request an accounting of disclosures. That includes disclosures to AI vendors. However, HIPAA’s de‑identification safe harbors allow data to be shared without your consent when it’s stripped of 18 specific identifiers—a standard that experts now consider insufficient against sophisticated re‑identification.
Stay informed about regulations. The Federal Trade Commission and state attorneys general have started scrutinizing health data practices. The proposed Health Data Privacy Act in the U.S. Congress would impose stricter rules on how medical data, including imaging, can be used for AI training. Keep an eye on these developments.
No single step will eliminate all risk, but being an informed and proactive patient is the best defense we have right now.
Sources
- Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” RSNA, May 20, 2026.
- Nature Communications (2025). “Facial Recognition from CT Scans: A Re‑identification Risk.”
- U.S. Department of Health and Human Services. HIPAA Privacy Rule, 45 CFR § 164.514 (De‑identification Standards).
- Federal Trade Commission. “Health Breach Notification Rule and AI Data Use.” 2024.