Your Medical Scans Could Be Used for AI Training—and That Raises Privacy Risks

Your Medical Scans Could Be Used for AI Training—and That Raises Privacy Risks

You go in for a routine X-ray or an MRI. The image helps your doctor diagnose a fracture or spot an abnormality. What you may not realize is that the same image could later end up in a database used to train artificial intelligence software—and with that come privacy risks that experts say aren’t being fully addressed.

Artificial intelligence is becoming a standard tool in radiology. AI models can help radiologists spot tumors earlier, measure organ sizes, and flag urgent cases. But to work well, these models need to be trained on enormous collections of medical images. Those images often come from real patients, and protecting that data is more complicated than many people assume.

A report published in May 2026 by the Radiological Society of North America (RSNA) lays out the privacy challenges clearly. The paper, titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” warns that as AI use grows, so do the risks that patient data could be re-identified, exposed in a breach, or used without proper consent.

What happened

The RSNA report is not a news story about a single breach. It’s a professional society’s assessment of an ongoing problem. The authors note that AI models require large, diverse datasets to be accurate and fair. Hospitals and research institutions often share imaging data—sometimes across borders—to build these datasets. Even when identifying details like names and Social Security numbers are stripped away, the images themselves can still contain enough information to link back to a specific person.

Facial features can be reconstructed from a CT scan of the head. Unique bone structures, dental patterns, or even tattoos visible in an image could be used for identification. And once data is used to train an AI model, that model may “remember” pieces of the original data, potentially leaking sensitive information if queried cleverly.

The RSNA report doesn’t claim these risks are widespread today, but it argues they are not hypothetical. Several studies have already demonstrated that de-identification techniques—the standard method for protecting patient data—are not foolproof. The report calls for better encryption, stricter access controls, and clearer consent processes.

Why it matters for patients and consumers

If you have ever had a medical image taken, there is a chance it could be used for AI training. Most consent forms for imaging procedures include a broad clause allowing the hospital or clinic to use your data for research. You might have signed it without a second thought.

The problem is that once your image is in a research dataset, you have very little control over where it goes. Data can be shared with commercial AI companies, academic labs, or international partners. Even with de-identification, the risk of re-identification exists. A motivated attacker with access to other public records could potentially match an image to your name, then learn not just the scan result but also your medical history.

There is also the question of consent. Many patients are never explicitly told that their images might be used for AI training. They are not asked whether they want to opt in or out. And if they later change their mind, withdrawing data from a trained AI model is effectively impossible.

What you can do

You don’t need to become a privacy expert, but you can take a few practical steps to protect your medical imaging data.

• Ask your provider about data use. Before any imaging exam, ask how your images will be stored and whether they might be used for AI training or research. Some hospitals have clear policies; others do not. If the answer is vague, request clarification in writing.

• Review your consent forms carefully. Look for language about research or data sharing. If you are uncomfortable with broad authorization, ask if you can opt out while still receiving the scan. In many cases, providers will accommodate you if you ask.

• Know your rights under privacy laws. In the United States, HIPAA gives you some control over your health information, but it does not cover all uses. For example, de-identified data is not regulated the same way. In Europe, the GDPR offers stronger protections, including the right to be informed about how your data is used.

• Support stronger institutional policies. If you are involved in patient advocacy or hospital boards, push for clear, transparent data governance. The RSNA report recommends that healthcare organizations adopt privacy-by-design principles, use robust encryption, and limit data sharing to only what is necessary.

Sources

The analysis in this article is based on the RSNA report “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” published in May 2026. Additional context comes from prior research on de-identification failures and general data security practices in healthcare. The RSNA report can be accessed through their official website.