Your Medical Scans Could Be Faked: How AI Is Creating New Privacy Risks

Medical imaging plays a central role in diagnosis, from broken bones to cancer detection. But a new set of risks is emerging as artificial intelligence becomes sophisticated enough to generate convincing fake X-rays, CT scans, and MRIs — and to automate attacks on the systems that store and transmit those images. Recent reports from the Radiological Society of North America (RSNA) highlight that these threats are no longer theoretical.

If you’ve ever had a scan, your medical images exist in digital archives that may be less protected than you assume. Here’s what’s happening, why it matters, and what you can do.

What happened

In March 2026, RSNA published a study showing that AI-generated “deepfake” X-rays could fool both radiologists and automated diagnostic algorithms. The researchers created synthetic chest X-rays that appeared indistinguishable from real ones, and found that experienced radiologists misidentified them roughly one-third of the time — and AI-based classifiers performed even worse. The ability to insert a fake image into a patient’s record is a direct path to misdiagnosis or unnecessary treatment.

Separately, an RSNA special report from May 2025 examined cybersecurity threats involving large language models (LLMs) in radiology. It warned that LLMs could be used to write malicious scripts targeting picture archiving and communication systems (PACS) — the backend systems hospitals use to store and retrieve images. A successful attack could alter, delete, or exfiltrate thousands of scans.

These findings come alongside ongoing concerns about AI bias in radiology, which RSNA also addressed in May 2025 with tips for clinicians to check for skewed training data.

Why it matters

The privacy and safety implications go beyond a single fake scan. Medical images contain far more than the clinical finding — they often include embedded metadata like patient name, date of birth, medical record number, and sometimes even facial features from 3D reconstructions. If an attacker gains access to a PACS database, they could:

  • Generate fake medical histories by inserting or modifying images, potentially leading to incorrect insurance claims, denial of coverage, or fraudulent disability applications.
  • Steal biometric identifiers — an X-ray of your hand or a CT of your face is a unique physical signature that can’t be reset like a password.
  • Launch targeted scams using information from imaging metadata. For example, a scammer who knows you recently had a lung scan can call you impersonating a clinic and request payment or additional personal data.

And because images are often shared across facilities — sometimes via unencrypted email or outdated file transfer protocols — the attack surface is broad. The RSNA report noted that many radiology departments still rely on legacy systems that lack modern authentication or audit logging.

There is also an important uncertainty to acknowledge: the fake-image techniques demonstrated in the RSNA study are not yet widespread in the wild. But the tools to create them are improving rapidly, and the cybersecurity report makes clear that the vulnerability is real today.

What readers can do

You don’t need to be a radiologist to reduce your risk. Here are a few practical steps:

Ask your provider about their imaging data security. Before agreeing to a scan, you can ask: “How do you protect my images? Are they encrypted during storage and when shared with other providers?” A reputable facility will have a clear policy and should be willing to explain it.

Review your medical records regularly. Most patient portals now let you view imaging reports and, increasingly, the images themselves. If you spot an inconsistency — a scan date that doesn’t match your visit, or findings you don’t recognize — flag it to your doctor’s office.

Use patient portals for image sharing. If you need to send images to a specialist, use a secure portal rather than email or a physical CD that could be lost. Ask your provider if they support encrypted direct sharing.

Monitor your insurance explanations of benefits. Fraudulent claims involving imaging are often detectable as unexpected billing for a scan you never had. If you see one, report it to your insurer.

Be wary of unsolicited calls from medical offices. Scammers can spoof phone numbers and use information from a data breach (including imaging metadata) to sound legitimate. Hang up and call your provider back using a number you know is correct.

These steps won’t eliminate all risk, but they close common gaps that attackers exploit.

Sources

  • Deepfake X-Rays Fool Radiologists and AI — Radiological Society of North America, March 2026
  • Special Report Highlights LLM Cybersecurity Threats in Radiology — RSNA, May 2025
  • Radiologists Share Tips to Prevent AI Bias — RSNA, May 2025