Your Medical Scans Are Feeding AI — Here’s What That Means for Your Privacy
When you get an X-ray, MRI, or CT scan, you assume it’s only for your doctor’s diagnosis. But increasingly, those images are also being used to train artificial intelligence systems—and that can expose your private health data in ways you might not expect.
A report from the Radiological Society of North America (RSNA), released in May 2026, warns that medical imaging AI carries significant privacy risks. The report points out that as AI tools become common in radiology, patient images and metadata can be shared across platforms, reused for algorithm training, and even used to re-identify individuals after anonymization. For everyday patients, this means the digital footprint of a simple scan could persist far beyond the original clinical purpose.
What happened
The RSNA report evaluates how AI in medical imaging—used to detect tumors, fractures, or other abnormalities—relies on large datasets of real patient images. Those datasets often include not just the scan itself but also metadata like age, sex, and sometimes location or device identifiers. Even when images are stripped of obvious personal details, researchers have shown that facial features reconstructed from head CTs or MRIs can be matched to public photos, effectively re-identifying patients.
Separate research presented at RSNA meetings has also demonstrated that deepfake X-rays—entirely fabricated images—can fool both radiologists and AI systems. That raises the risk that manipulated scans could be introduced into training data, corrupting the algorithm and potentially leading to misdiagnoses. But the privacy angle is equally troubling: if fake images can pass as real, then real images could also be extracted or leaked through adversarial attacks.
Why it matters for patients
Most patients sign a consent form before imaging, but those forms are often broad. They may allow the hospital or research partner to use your images “for quality improvement” or “for research.” Rarely do they explicitly mention AI training or third-party data sharing. As a result, you might never know your hip X-ray is helping train a commercial AI model—or that de-identified data could be re-linked to you.
Data breaches in healthcare are already common. In 2025, large breaches affected over 50 million patient records. Medical images are stored in Picture Archiving and Communication Systems (PACS), and if those systems are not properly secured, images with embedded metadata can be accessed by unauthorized parties. AI models themselves can also leak information: a model trained on patient data might inadvertently memorize rare features that allow identification of specific individuals.
For patients, the consequences go beyond embarrassment. Re-identified health data could affect insurance rates, employment, or personal reputation. And because medical images are often retained for years or decades, the risk persists long after the scan.
What you can do as a patient
You are not powerless. Here are practical steps to protect your privacy when undergoing medical imaging:
Ask before the scan. Ask your provider specifically: “Will my images be used for AI training or shared with any third party?” If they say yes, ask if you can opt out. Some institutions have a separate consent process for research use.
Read the consent form carefully. Look for phrases like “de-identified data,” “secondary use,” or “research repository.” If it’s vague, ask for clarification.
Limit metadata exposure. When possible, ask that only essential clinical metadata (age, sex, reason for scan) be attached, and that camera-specific device IDs or location data be removed.
Request an image deletion policy. After your care is complete, ask how long your images are stored and whether you can request their deletion. Not all hospitals offer this, but it’s worth asking.
Stay informed about your hospital’s AI practices. Some institutions publish transparency reports about how they use patient data for AI development. Check your provider’s website or patient portal.
What’s next: regulation and transparency
Regulators are beginning to catch up. The U.S. Department of Health and Human Services has issued guidance that de-identified data used for AI training may still fall under HIPAA if re-identification is possible. The European Union’s AI Act will require transparency for high-risk medical AI systems, including disclosures about training data source. But enforcement is still uneven, and many hospitals lack clear policies.
The RSNA report calls for standardized consent forms, better data de-identification methods, and regular security audits for AI systems. These are good steps, but they will take time to implement.
Your medical images, your privacy
AI in medical imaging holds real promise for earlier and more accurate diagnoses. But that progress should not come at the cost of your privacy. By asking a few questions now, you can stay in control of your health data while still benefiting from the technology.
Sources: RSNA report on medical imaging AI privacy risks (May 2026); RSNA presentation on deepfake X-rays (March 2026); HHS guidance on HIPAA and AI; U.S. healthcare breach reports (2025).