Your Medical Scans Could Be a Privacy Risk: What You Need to Know About AI in Imaging

If you’ve had an X-ray, MRI, or CT scan recently, there’s a good chance an artificial intelligence system helped analyze the images before your radiologist signed off. That’s not necessarily a bad thing—AI can speed up detection of tumors and other abnormalities. But it also raises a less comfortable question: Who else has access to the pictures of your insides?

Recent discussions at the Radiological Society of North America (RSNA) 2026 meeting highlighted that as AI becomes more common in radiology, the privacy risks for patients are growing. Some of these risks are familiar (data breaches), others are more unsettling (deepfake X-rays that can deceive both humans and machines).

Here’s what you should know about how your medical images are being used, and what you can do to protect your privacy.

What Happened

At RSNA 2026, researchers presented findings that medical imaging AI “opens a Pandora’s box of privacy-related risks.” One major concern is that patient images are often shared with third-party vendors to train or run AI models. Even when data is de-identified (names, dates removed), researchers have shown that re-identification is sometimes possible, especially with facial reconstruction from CT and MRI scans.

Another alarm raised at RSNA involved deepfake X-rays. A separate presentation in March 2026 demonstrated that synthetic X-ray images can fool both radiologists and AI algorithms. While the immediate implication is a risk for diagnostic errors, the same technology could be used to fabricate images that implicate someone in a health insurance claim or legal case.

Why It Matters

Your medical images contain highly personal information—not just about your health, but often your physical appearance (head scans can reconstruct facial features) and even genetic clues. Under U.S. law, HIPAA covers protected health information, but it was written before AI became commonplace. HIPAA’s rules around de-identification may not fully address how AI vendors use and store images. In practice, many hospitals require patients to sign broad consent forms that allow data sharing for “research and quality improvement,” which often includes sharing with commercial AI companies.

Once an image leaves your provider’s system, you lose control over where it ends up. Data breaches in healthcare continue to rise, and medical records—including images—are valuable on the black market. Unlike a credit card number, you can’t easily cancel a compromised image.

What Readers Can Do

You don’t have to avoid necessary imaging, but you can take steps to protect your privacy:

  1. Ask your provider who has access to your images. Before any scan, ask: “Will my images be shared with an AI vendor? What de-identification methods are used? Do I have a choice to opt out of sharing for AI training?” Many hospitals have specific consent forms for image use. Read them carefully.

  2. Check your patient portal for image access. If your provider offers direct access to your images (DICOM viewer), you can download copies. Store them on your own encrypted device rather than relying entirely on third-party cloud systems.

  3. Limit sharing with other providers unless necessary. When your images are sent to another specialist, ask if they can be sent without being added to a shared AI training database. Some health systems allow you to request “do not use for research.”

  4. Be aware of facial reconstruction risks. If you have a head CT or MRI, some de-identification tools strip facial features, but not all do. Ask if your images are “defaced” before being used for AI training.

  5. Inquire about data deletion policies. After an AI vendor uses your images for algorithm validation, what happens to the copies? A reputable provider should have a policy for deleting patient data after a defined period.

Sources

This article draws on presentations and discussions from the Radiological Society of North America (RSNA) 2026 meeting, specifically:

  • “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks” – RSNA, May 20, 2026.
  • “Deepfake X-Rays Fool Radiologists and AI” – RSNA, March 24, 2026.

Additional context on HIPAA and de-identification comes from the U.S. Department of Health and Human Services. For the most current guidance, you can consult the HHS website on health information privacy.

Your health comes first—but your privacy matters too. A few questions before your next scan can go a long way.