Your Medical Scans Could Be Faked or Leaked: What to Know About AI Privacy Risks

Your Medical Scans Could Be Faked or Leaked: What to Know About AI Privacy Risks

Artificial intelligence is transforming radiology, enabling faster and sometimes more accurate readings of X‑rays, CT scans, and MRIs. But as AI tools become embedded in medical imaging workflows, a less visible risk has emerged: the security and authenticity of those images. Recent work presented by the Radiological Society of North America (RSNA) has shown that medical imaging AI opens a Pandora’s box of privacy-related risks, from convincing deepfake scans to unauthorized data sharing. For patients, understanding these risks is the first step toward protecting their most personal health information.

What Happened

In March 2026, RSNA published findings from researchers who created deepfake X‑rays capable of fooling both human radiologists and AI diagnostic algorithms. The synthetic images were generated using a type of generative AI and were nearly indistinguishable from real scans. The concern is not only that such images could be used to manipulate diagnoses or insurance claims, but that the same techniques could be used to insert fake findings into a patient’s medical record.

Separately, privacy researchers have pointed out that many AI radiology tools rely on cloud‑based platforms or third‑party vendors to process and train algorithms. Medical imaging files are often large and contain metadata—patient names, dates of birth, imaging facility details—that may not be fully stripped when data is transferred. In several documented incidents, de‑identified imaging data has been re‑identified using publicly available information, raising questions about how well current privacy safeguards hold up.

Why It Matters

The implications stretch beyond a single patient. If deepfake X‑rays or CT scans can fool trained specialists and automated tools, the potential for misdiagnosis, delayed treatment, or fraudulent billing increases. A false finding could lead to unnecessary surgery; a missed finding could delay cancer treatment. On the data‑breach side, medical images are among the most sensitive records a person has—once leaked, they cannot be “un‑seen” or revoked like a credit card number.

Current regulations like HIPAA in the United States set baseline requirements for protecting electronic health information, but they were written before generative AI and large‑scale cloud processing became routine. HIPAA’s “de‑identification” standards, for instance, allow removal of 18 specific identifiers, but they don’t account for the fact that an AI model can sometimes re‑identify a person based on the shape of their spine or the pattern of their lung tissue. Legal experts and health‑privacy advocates have called for updates to cover AI‑specific risks, but those changes are still in discussion.

What Readers Can Do

Patients don’t have to be passive in this environment. Here are practical steps you can take:

• Ask your imaging provider about data security. Before an MRI or CT scan, ask the facility how they store and transmit images. Do they use end‑to‑end encryption? Are images sent to third‑party AI vendors for analysis? If so, ask what contractual protections exist for your data.

• Review consent forms carefully. Many imaging consent forms include language allowing your images to be used for “research or quality improvement.” That can include AI training. If you’re not comfortable with that, ask if you can opt out without affecting your care.

• Avoid posting medical images on social media. Some patients share X‑rays or scans to raise awareness or ask for opinions. Even if you crop out your name, the image itself can contain embedded metadata or unique anatomical markers that could identify you.

• Ask about de‑identification practices. If a facility uses cloud AI, they should be able to explain how images are anonymized before leaving their network. Look for facilities that use “local” AI processing—running the algorithm on‑site rather than sending data to a remote server.

• Stay informed about your rights. HIPAA gives you the right to request an accounting of disclosures for your health information. You can ask which third parties have accessed your imaging data.

Sources

• Radiological Society of North America (RSNA). “Deepfake X‑Rays Fool Radiologists and AI.” March 24, 2026.
• Radiological Society of North America (RSNA). “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks.” May 20, 2026.
• U.S. Department of Health and Human Services. “HIPAA Privacy Rule and De‑Identification Standards.” (Current guidance as of 2025.)
• Several independent privacy researchers cited in RSNA presentation materials regarding re‑identification risks of de‑identified imaging data.

The promise of AI in medical imaging is real, but it comes with responsibilities. By asking the right questions now, patients can help ensure that the benefits of faster, smarter scans aren’t overshadowed by preventable privacy losses.