Your Medical Scans Are Feeding AI: What You Need to Know About Privacy Risks

Your Medical Scans Are Feeding AI: What You Need to Know About Privacy Risks

If you’ve had an X-ray, CT scan, or MRI in the past few years, there’s a good chance your images were used to train artificial intelligence. Hospitals and imaging centers increasingly license AI software that learns from large sets of patient scans to detect tumors, fractures, or other abnormalities. The potential benefits are real: faster diagnoses, fewer missed findings. But the way these images are collected, shared, and stored raises questions that most patients never consider.

Researchers at the Radiological Society of North America (RSNA) have highlighted a new class of privacy threats that go beyond the usual data breach. Deepfake X-rays can now fool both radiologists and AI systems. If a bad actor can generate a convincing fake scan using someone’s real medical data, they could commit insurance fraud, manipulate medical records, or even blackmail patients. These risks are not hypothetical. Published RSNA research from March 2026 shows that synthetic medical images are already realistic enough to deceive experts.

What’s Happening

Healthcare providers typically sign agreements with AI vendors that allow the software to learn from de-identified patient images. “De-identified” means names, dates, and ID numbers are stripped away. But medical images contain rich metadata—such as scanner model, facility location, and body region—that can sometimes allow re-identification when combined with other data. Furthermore, many consent forms buried in patient paperwork give broad permission to use scans for research or quality improvement, without clearly stating that a commercial AI company may eventually hold copies of the data.

A 2025 RSNA technical exhibit showcased the largest-ever collection of radiology AI tools, signaling how widespread this practice has become. Few patients are told explicitly that their images will leave the hospital network. And once data is shared with a third-party vendor, it can be stored, copied, or even used to train models for unrelated purposes, depending on the contract.

Why It Matters

The privacy risks are not about one more data breach headline—though those still happen. They are about misuse of the images themselves.

• Deepfakes and manipulation: As noted in the RSNA study, fake X-rays can be woven into a patient’s medical record. This could lead to incorrect treatment, insurance denial, or fabricated legal evidence. If an AI model trained on genuine scans is later fooled by a fake, the trustworthiness of AI-assisted diagnosis is undermined.

• Re‑identification: Even de-identified images carry unique features—a distinctive bone shape, an implant serial number, or a scar pattern. Researchers have shown that it is possible to match a scan to a specific person using facial recognition techniques or metadata. The same images used to train AI could be matched back to you if the data set is ever leaked.

• Holes in HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) sets rules for protecting health data, but it was written long before AI training on medical images was common. HIPAA does not fully address scenarios where images are used to train a model that is then sold to hundreds of hospitals, or where synthetic versions of your scan are created and shared. Once an AI model has learned from your data, there is no way to “unlearn” it.

What You Can Do

There is no silver bullet, but you can take concrete steps to gain more control over your imaging data.

1. Ask before the scan – When you schedule an MRI or CT, ask the ordering physician or the radiology department whether your images will be shared with any third-party AI vendor. If they cannot give a clear answer, ask for the consent form ahead of time.

2. Read the consent form carefully – Many forms ask for permission to use your data for “research and development.” If you are uncomfortable, you can decline to sign that part. You still get the scan. Some institutions have opt-out boxes; others may not. Be explicit: “I consent to the scan but not to sharing my images with external companies.”

3. Request deletion policies – After a scan, ask how long the images will be stored and if they can be deleted when no longer clinically needed. Not all providers can honor this (legal retention requirements exist), but it is worth asking.

4. Use patient portals to monitor access – Many electronic health record systems log who viewed your images. Check occasionally for unfamiliar access, especially from third-party groups.

5. Support stronger regulation – Write to your state and federal representatives about closing the AI privacy loophole in HIPAA. Several patient advocacy groups and the American Civil Liberties Union have called for new rules that require explicit consent before medical images are used to train commercial AI.

Sources

• RSNA Research: “Deepfake X-Rays Fool Radiologists and AI,” March 2026.
• RSNA Technical Exhibits: “RSNA 2025 Technical Exhibits Feature Largest Radiology AI Showcase,” September 2025.
• Radiological Society of North America: “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” May 2026.
• U.S. Department of Health and Human Services: HIPAA Privacy Rule (45 CFR Parts 160, 164).

The integration of AI into medical imaging is not going to slow down. The question is whether patients will be informed participants—or silent sources of training data. Knowing what happens to your scans is the first step toward making a choice.