Your Medical Scans Are Feeding AI — Here’s What That Means for Your Privacy

Artificial intelligence is now reading X-rays, CT scans, and MRIs alongside radiologists. The technology can spot tumors, fractures, and abnormalities faster than a human eye, and hospitals are adopting it quickly. But there is a less visible side to this trend: your medical images contain far more personal data than you might realize, and the AI systems analyzing them create new privacy risks.

A recent article from the Radiological Society of North America (RSNA) warns that the widespread use of AI in medical imaging “opens a Pandora’s box of privacy-related risks.” For patients who undergo any kind of scan, this is worth understanding — not to avoid necessary care, but to make informed choices about how your health data is handled.

What Happened

The RSNA piece highlights several ways that AI systems can expose patient information. First, medical images often carry metadata — embedded details like the patient’s name, date of birth, hospital, and scanner settings. When images are sent to third-party AI vendors for analysis, that metadata may travel with them. If the vendor’s security is weak, or if the data is stored in an unencrypted format, a breach can expose identifiable health information.

Even more concerning: AI itself can reconstruct identities from images alone. Researchers have demonstrated that facial features extracted from a head CT scan can be used to re-identify a patient, even after the metadata has been stripped. The same is true for 3D reconstructions from MRI or mammography. As AI tools get better at pattern recognition, so does the potential for re-identification.

The RSNA article also notes that many radiology AI systems are trained on large datasets that may include patient data without explicit consent for that particular use. Data sharing agreements between hospitals and AI companies are often opaque, leaving patients unaware how their scans are being used.

Why It Matters

Medical data is among the most sensitive personal information a person has. If your scan results — or even just the fact that you had a certain type of imaging — are exposed, the consequences can be serious. Employers, insurers, or others could use that data to discriminate. In some cases, leaked health information has been used for targeted scams or identity theft.

HIPAA (the Health Insurance Portability and Accountability Act) provides baseline privacy protections for medical records in the United States. However, HIPAA’s rules were written before AI became common in clinical settings. When a hospital shares de-identified images with an AI vendor, that data may not be considered protected under HIPAA — and de-identification is not always effective against modern re-identification techniques. The regulatory framework is still catching up.

Beyond legal protections, there is a trust issue. Many patients assume their scans stay within their doctor’s office or hospital. The reality is that images frequently move across systems, sometimes to cloud servers run by companies with different privacy policies.

What You Can Do

You do not need to refuse imaging to protect your privacy. Here are concrete steps you can take:

  • Ask ahead of time. Before a scan, ask your provider: “Will my images be shared with any third-party AI systems? With whom? For how long?” Some hospitals publish lists of the AI tools they use. If the answer is unclear, ask for a written explanation.
  • Review consent forms carefully. Many hospitals include broad language about using your de-identified data for research or quality improvement. If you are uncomfortable, ask to opt out of any secondary use that goes beyond your immediate care.
  • Request information about data deletion. After your scan is complete and the report is filed, ask whether the raw image data can be deleted from external systems. Policies vary; some facilities allow it, others do not.
  • Check if your state has additional laws. A few US states have passed health data privacy laws that go beyond HIPAA, such as the Washington My Health My Data Act. These laws may give you more rights to access, correct, or delete your imaging data.
  • Consider a privacy request. You have the right under HIPAA to request an accounting of disclosures of your health information. It can be a bureaucratic process, but it can reveal where your scans have been sent.

Sources

  • Radiological Society of North America (RSNA). “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” May 2026. [Link to article – available via RSNA.org news section]

Note: As of this writing, the RSNA article is recent, and the specific vulnerabilities it describes are still being studied. Regulations may evolve as more evidence emerges.