Your Medical Scans Could Be Feeding AI — Without Your Knowledge. Here’s What to Do

Your Medical Scans Could Be Feeding AI — Without Your Knowledge. Here’s What to Do

You go in for a routine chest X‑ray or an MRI of your knee. The radiologist reads the images, sends a report to your doctor, and you assume that’s the end of it. But what happens to the actual scan after that? Increasingly, those images are being used to train artificial intelligence systems — often without your explicit consent, and sometimes in ways that could put your personal health data at risk.

A recent report from the Radiological Society of North America (RSNA) warns that privacy protections for medical imaging data have not kept pace with the rapid adoption of AI in radiology. As more hospitals and imaging centers integrate AI tools, the line between clinical care and data mining is blurring. For patients, the consequences can range from subtle privacy erosion to serious data breaches.

What Happened

The RSNA report, published in late May 2026, highlights a growing set of privacy risks tied to the use of medical images in AI development. It points out that while patient data is often “anonymized” before being used to train algorithms, true de‑identification is notoriously difficult. Studies have shown that so‑called anonymized scans can be re‑identified by cross‑referencing them with other available data — such as age, sex, and the unique shape of a person’s spine or skull. In some cases, metadata embedded in the image file can also leak information.

The report notes that many hospital consent forms do not explicitly mention that images may be used for AI training. Patients may unknowingly sign away broad rights to their data, and the terms are often buried in general treatment consent paperwork. Meanwhile, third‑party AI vendors, research institutions, and even other hospitals may gain access to the images, sometimes with limited oversight on how the data is stored, shared, or eventually used.

Why It Matters

For the average person, the risks fall into a few overlapping categories.

First is re‑identification. Even if a scan has been stripped of obvious identifiers like name and date of birth, machine learning techniques can often link it back to a specific individual. Once linked, that person’s health conditions, the shape of their organs, and other sensitive details become tied to their identity. This information could be used by insurers, employers, or others in ways that are discriminatory or harmful.

Second is data breaches. Large collections of medical images are an attractive target for hackers. Unlike credit card numbers, health data is hard to change — once your X‑ray is leaked, you cannot replace it. Breaches at hospitals and AI vendors have already exposed millions of records, and images can remain online indefinitely.

Third is lack of transparency. Many patients have no idea their scans are being used beyond their own care. A recent survey cited in the RSNA report found that a majority of patients would want to be asked for permission before their medical images were used to train AI, yet only a minority recall ever being asked. This disconnect means people cannot make informed decisions about sharing their data.

What Readers Can Do

You are not powerless. While the system is far from perfect, there are concrete steps you can take to protect your privacy when undergoing medical imaging.

1. Read the consent form carefully. Before you sign any paperwork for a scan, look for language about “research,” “secondary use,” or “data sharing.” If the wording is vague or you do not understand it, ask the technician or your doctor to explain exactly what will happen to your images.

2. Ask your provider directly. Before the scan, you can say: “Will my images be used to train AI or shared with any third parties? Is there a way to opt out of that?” Some hospitals have formal opt‑out processes, even if they do not advertise them.

3. Look for policies on the hospital’s website. Many health systems now publish privacy notices that describe how they handle imaging data. If you cannot find clear information, ask for it in writing.

4. Know your legal rights. In the United States, HIPAA protects your health information, but it has significant gaps when it comes to AI training. HIPAA allows data to be used for “treatment, payment, and operations” without your consent — and AI development can fall under “operations.” In Europe, the GDPR provides stronger protections, including the right to object to certain secondary uses. State laws in the U.S., such as California’s CCPA, may also apply. However, these laws were not written with AI‑specific scenarios in mind, so enforcement is patchy.

5. Consider where you get your scan. If you have a choice, large academic medical centers often have more robust privacy programs than standalone imaging centers that partner with multiple AI vendors. That said, no facility is risk‑free.

6. Opt out of research registries when possible. Some imaging departments have “research repositories” that collect images for future studies. You can often decline to participate. Ask if such a repository exists and how to remove your data from it.

Sources

• Radiological Society of North America (RSNA), “Medical Imaging AI Opens a Pandora’s Box of Privacy‑Related Risks,” May 2026.
• US Department of Health and Human Services, HIPAA Privacy Rule, 45 CFR §164.500 et seq.
• EU General Data Protection Regulation (GDPR), Articles 6, 9, and 22.
• California Consumer Privacy Act (CCPA), Cal. Civ. Code §1798.100 et seq.
• Schwarz, C. G., et al., “Identification of Anonymous MRI Research Participants with Face‑Recognition Software,” New England Journal of Medicine, 2019.

Staying informed is your best defense. The technology is moving fast, and privacy regulations are still catching up. By asking questions and understanding your rights, you can help ensure that your medical images serve your care — not someone else’s bottom line.