Your Medical Scans Could Feed AI Models: Here’s What to Know About Privacy Risks

Introduction

If you’ve had an X-ray, MRI, or CT scan recently, chances are that image was processed or interpreted with the help of artificial intelligence. Radiology AI tools can speed up diagnoses, reduce human error, and spot patterns a radiologist might miss. But the same technology that makes scans more useful also creates new privacy concerns. Your medical images—often considered among the most sensitive personal data—are being fed into AI models in ways that patients rarely understand or consent to.

A recent analysis published by the Radiological Society of North America (RSNA) frames this situation as a “Pandora’s Box” of privacy-related risks. While the RSNA itself is a major proponent of AI in radiology, the report acknowledges that the rapid adoption has outpaced the safeguards needed to protect patient data.

What Happened

The RSNA report, released in May 2026, examines how medical imaging AI systems are developed and deployed. These models are trained on massive datasets—sometimes millions of scans—collected from hospitals, research institutions, and commercial partners. The stated goal is to improve clinical accuracy, but the data handling practices raise several concerns:

  • Consent gaps: Many patients never explicitly agree to have their scans used for AI training. Broad consent forms buried in hospital admission paperwork are often too vague to count as informed permission.
  • Re-identification risk: Anonymization techniques that strip names and dates are not foolproof. Researchers have shown that de-identified medical images can sometimes be matched back to individuals using facial recognition or other metadata, especially with high-resolution scans that include the face or unique anatomical features.
  • Secondary uses without notice: Even if you agree to have your scan used for a specific AI project, that dataset might later be sold, shared, or repurposed for unrelated research or commercial products without your knowledge.

The RSNA report doesn’t paint all AI as dangerous—far from it. But it does stress that the current privacy framework is “fragmented and insufficient,” especially given the volume and sensitivity of imaging data now flowing into AI pipelines.

Why It Matters

Medical images are not just pictures; they contain a wealth of personal information. A CT scan of your chest reveals your age, sex, body shape, and possibly your facial structure. An MRI of your brain can expose neurological conditions, but also uniquely identifying patterns. Unlike credit card numbers, you cannot change your scans once they are leaked.

The consequences extend beyond embarrassment. Re-identified health data could be used by insurers to adjust premiums, by employers to discriminate, or by marketers to target you based on medical conditions. In some documented cases, hospital data breaches have already exposed millions of radiology images on the open internet because of misconfigured cloud storage.

Existing regulations offer some protection but have clear gaps. In the United States, HIPAA governs how health data is used by covered entities (hospitals, doctors), but it does not cover many third parties that might access AI training datasets, such as tech companies or research labs. The European Union’s GDPR is stronger on consent and anonymization, but enforcement across borders remains inconsistent. Neither law was written with modern AI training pipelines in mind.

What Readers Can Do

You do not have to accept these risks silently. While you cannot fully control what happens to your data once it enters a hospital system, you can take practical steps to protect yourself:

  1. Ask before you scan. When your doctor orders an imaging test, ask the radiology department or hospital: “Will my images be used to train any AI models? Can I opt out of that use?” Many facilities have a consent form for data sharing—insist on seeing it and understanding what you’re signing.

  2. Check the privacy policy. Some hospitals publish their data handling practices online. Look for language about “de-identified data,” “research purposes,” and “third-party sharing.” If the policy is vague, request clarification in writing.

  3. Opt out where possible. The RSNA report notes that a growing number of institutions allow patients to opt out of allowing their data for AI training and research. This option is often buried, but you can ask specifically for a “data use opt-out” or “research opt-out” form.

  4. Limit sharing of images yourself. If you use patient portals or apps that store your medical images, be cautious about granting them broad permissions. Some apps share data with analytics companies by default.

  5. File a complaint if you suspect misuse. If you learn your data was used without consent or that a breach occurred, you can file a complaint with the Office for Civil Rights (HIPAA) in the U.S. or your national data protection authority in the EU.

Sources

  • Radiological Society of North America (RSNA). “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” Published May 20, 2026. RSNA News Article (link to original RSNA source used for this article)
  • RSNA 2025 Technical Exhibits and related reports on AI in radiology (additional context on AI adoption trends, referenced for background)
  • U.S. Department of Health and Human Services. HIPAA Privacy Rule. 45 CFR Parts 160, 164.
  • European Parliament. General Data Protection Regulation (GDPR). Regulation (EU) 2016/679.