Your Medical Scans Are Now AI Training Data: What That Means for Your Privacy
If you’ve ever had an X-ray, MRI, or CT scan, those images are stored in a digital record. What you may not know is that more hospitals and radiology clinics are now feeding those scans into artificial intelligence tools—both to help radiologists detect disease and to train the algorithms themselves.
A report presented at the Radiological Society of North America (RSNA) in May 2026 warns that this shift brings a set of privacy risks that few patients are aware of. The report, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” highlights how patient scans and their associated metadata can be exposed, re-identified, or used in ways patients never consented to.
What happened
The RSNA report, authored by a group of radiologists and data privacy researchers, describes how AI models in medical imaging require large amounts of patient data to learn and improve. That data includes not just the images themselves, but also patient age, sex, clinical notes, and sometimes identifiers like medical record numbers or dates of service.
The concern is not theoretical. The report points to several known incidents where imaging datasets used for AI development were later found to contain identifiable information, despite claims of anonymization. In one case cited, researchers were able to re-identify patients from a supposedly de-identified chest X-ray dataset using metadata and publicly available health records.
The RSNA authors argue that current data-sharing practices in many AI research projects fall short of existing privacy regulations like HIPAA in the United States or GDPR in Europe. They also note that patients are rarely informed that their scans may be used for AI training, and when they are, the consent process is often buried in fine print.
Why it matters
Medical images are some of the most sensitive pieces of personal data a person can generate. They reveal body structure, potential diseases, and even genetic markers. Unlike a stolen credit card number, a medical image cannot be replaced or reissued. Once leaked, the damage is permanent.
The risks fall into a few categories:
Data breaches: Hospitals are frequent targets of cyberattacks. When AI training datasets are stored or transmitted outside the main clinical system, they can become an additional attack surface. A breach can expose thousands of raw images and patient records at once.
Re-identification: Anonymization techniques often strip obvious identifiers like names and social security numbers, but facial features, tattoos, or unique anatomical markers in a scan can still link an image back to a specific person. Researchers have shown that combining scan metadata with public voter registries or social media profiles can re-identify patients with high accuracy.
Secondary use without consent: Once a dataset leaves the hospital—for example, to a cloud-based AI vendor—it may be used for purposes the patient never agreed to, such as commercial algorithm development or research on unrelated conditions. Many consent forms are vague or use opt-out models that patients don’t know exist.
These are not hypothetical. The RSNA report itself documents cases where AI companies have faced class-action lawsuits over the unauthorized use of medical images. The legal landscape is still evolving, and there is no guarantee patients will be notified if their data is part of a breach or misuse.
What readers can do
You don’t have to avoid medical imaging to protect your privacy. Here are practical steps you can take:
Ask your provider about AI use before the scan.
When your doctor orders an X-ray or MRI, ask whether the imaging facility uses AI tools for analysis or training. Many do, but the answer is not always volunteered. A simple question like “Will my images be used to train AI models?” can give you a starting point.
Read the consent form carefully.
Before signing a form that covers data use, look for phrases like “de-identified data,” “research purposes,” or “third-party sharing.” Some forms ask you to opt out of data sharing; if the form doesn’t mention any opt-out, ask how to avoid having your scans used outside of your direct care. If the form says you have no choice, consider whether you can switch to a different facility that offers more transparency.
Ask about anonymization.
If the facility says your images will be anonymized before any AI use, ask what specifically is removed. Names and dates of birth are standard, but what about facial features? What about device serial numbers embedded in the DICOM metadata? A responsible provider should be able to describe their de-identification process in plain language.
Monitor your health records.
Under HIPAA, you have the right to request an accounting of disclosures for your medical records. That includes if your images were shared with an outside entity for AI training. You can ask your hospital’s privacy officer for this accounting, though it may require persistence.
Consider opting out where possible.
Some institutions offer a formal opt-out for research uses of patient data. It can be a checkbox on a patient portal or a form to fill out at registration. Even if your institution does not offer one, you can send a written request. State law may influence whether they must honor it.
Stay informed about vendor practices.
If you’re concerned about a specific imaging chain or hospital system, search for their data privacy policies online. Look for mentions of AI, machine learning, or data sharing with third parties. Consumer advocacy groups sometimes publish ratings on hospital privacy practices.
Sources
- Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA, May 20, 2026. (Referenced in Google News RSS feed, May 22, 2026.)
This article is for informational purposes only and does not constitute legal or medical advice. Privacy regulations vary by jurisdiction, and the practices described may change over time.