Your Medical Scans Are More Vulnerable Than You Think: What AI Means for Privacy

Medical imaging has entered a new era. AI tools now help radiologists detect tumors, measure organ volumes, and flag abnormalities in seconds. But this progress comes with a less discussed trade-off: your medical images are being used in ways you almost certainly never agreed to, and privacy protections have not kept pace.

A recent report from the Radiological Society of North America (RSNA) drew attention to exactly this problem. The article, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” outlines how the same AI systems that improve diagnosis also create new vulnerabilities for patient data. While the full text of the report is behind a paywall, the concerns it raises are worth examining closely.

What Happened

The RSNA report highlights a growing tension in radiology. Hospitals and imaging centers routinely share de-identified scans with AI developers to train algorithms. De-identification means stripping out obvious identifiers like name, date of birth, and social security number. But researchers have shown that this is no longer enough.

AI can re-identify patients by matching facial features in a CT scan’s 3D reconstruction with public photos, or by combining scan metadata with other data sources. The RSNA report warns that current consent practices often fail to inform patients that their images may be used for AI training, and that existing regulations like HIPAA do not clearly address this new use case.

Separately, a special report published by RSNA in May 2025 examined cybersecurity threats from large language models in radiology, pointing to risks that extend beyond data re-identification to include model inversion attacks and adversarial manipulation of images. Together, these reports paint a picture of an industry that is adopting AI faster than it is securing patient privacy.

Why It Matters

The risks fall into several categories, all of which affect real patients.

Re-identification destroys anonymity. When you undergo a CT or MRI, you may assume that removing your name makes the data anonymous. That assumption is no longer safe. AI can reconstruct faces from head scans, cross-reference imaging dates with public records, or use unique anatomical features as a fingerprint. Once re-identified, your full medical history becomes attachable to your identity.

Lack of explicit consent is widespread. Most consent forms for imaging procedures do not mention AI training. Your scans might be uploaded to a cloud platform used by a dozen AI vendors, or stored indefinitely in a research database you never knew existed. Few patients are given a meaningful choice to opt out.

Regulatory gaps are real. HIPAA regulates how covered entities use and share protected health information, but it does not directly address AI training datasets. If a hospital de-identifies images according to HIPAA’s Safe Harbor method (removing 18 specified identifiers) and then shares them with an AI company, that company is not bound by HIPAA in the same way. The result is a patchwork of protections that leaves patients exposed.

Breaches can be more damaging. Medical images contain far more information than a stolen credit card number. A leaked MRI can reveal your facial structure, brain anatomy, and even predispositions to certain conditions. Once leaked, you cannot change your brain scan the way you change a password.

What Readers Can Do

You do not have to accept these risks passively. Here are concrete steps you can take, even if you are not a privacy lawyer.

Ask before you scan. When your doctor orders an imaging study, ask the facility: Will my images be used to train AI? Can I opt out? Not all staff will know the answer, but asking signals that patients care. Some hospitals have begun adding opt-out checkboxes to consent forms—look for them.

Review your medical records. Under HIPAA, you have a right to access your imaging records and request an accounting of disclosures. If you suspect your data has been shared with a third-party AI developer, you can ask for details. The process is not seamless, but it puts you on record.

Check for opt-out registries. Some research networks allow patients to withdraw their data from future studies. The Health Information Technology for Economic and Clinical Health (HITECH) Act gave patients additional rights to restrict certain disclosures. It is worth a call to your provider’s privacy officer.

Support stronger regulation. Write to your representatives or support organizations advocating for updates to HIPAA that explicitly cover AI training data. The RSNA itself has called for clearer policies—a sign that even radiology professionals see the gap.

Treat imaging data like your Social Security number. Do not share scan results casually, and question any request to upload them to online portals that do not clearly state how they handle privacy.

Sources

• Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” May 2026. (Referenced via news aggregator; full article behind RSNA subscription.)
• RSNA Special Report: “LLM Cybersecurity Threats in Radiology.” May 2025.
• U.S. Department of Health and Human Services. “HIPAA Privacy Rule and Research.” hhs.gov.

The technology that reads your scans is getting smarter every month. The question is whether the rules that protect your privacy will catch up before another breach makes headlines. For now, the responsibility falls largely on you—and on the doctors and facilities you trust with your images.