Your Medical Scans Could Leak More Than You Think: AI Privacy Risks Explained

Your Medical Scans Could Leak More Than You Think: AI Privacy Risks Explained

Artificial intelligence is making medical imaging faster and more accurate—radiologists can now spot tiny tumors or fractures that a human eye might miss, and AI tools can process scans in seconds. But the same data that makes these tools powerful also creates serious privacy risks. Recent reports from the Radiological Society of North America (RSNA) have described these risks as “a Pandora’s box,” and for good reason.

What happened

Medical imaging AI works by training algorithms on vast collections of X-rays, MRIs, and CT scans. These datasets often contain millions of images from thousands of patients. Even when data is “de-identified”—with names, dates, and ID numbers stripped away—researchers have shown that AI models can sometimes reconstruct enough facial features or anatomical markers to re-identify patients. In 2025, a study presented at the RSNA technical exhibits demonstrated that certain AI models could infer a patient’s identity from seemingly anonymous scans using only subtle image patterns.

Beyond model-level risks, the storage and transmission of imaging data remain vulnerable. Several high-profile breaches of radiology PACS (Picture Archiving and Communication Systems) have exposed millions of patient records in recent years. Attackers target these systems because the images are large, often poorly encrypted, and linked to rich medical histories.

The RSNA report also highlighted a less obvious problem: many patients are unaware that their scans—sometimes taken years ago—are being used to train commercial AI products without explicit consent. While some hospitals obtain broad consent for research, others rely on “opt-out” policies that are hard to find or understand.

Why it matters

For patients, the stakes are high. Medical images contain deeply personal information: bone structures, organ shapes, even genetic markers in some cases. If a database of scans is leaked or an AI model is reverse-engineered, that data can be linked back to you. Unlike a credit card number, your facial structure or a rare tumor can’t be changed. Once exposed, it’s exposed for life.

There’s also the risk of discrimination. Insurers or employers could potentially access or demand data from AI training sets to infer health conditions. While laws like HIPAA in the U.S. and GDPR in Europe provide some protections, they don’t fully cover all uses of de-identified data, especially after it’s transferred to third-party AI developers.

The phrase “Pandora’s box” used by RSNA is fitting because once the genie is out—once images are collected into a training set—there’s no easy way to pull them back. And many hospitals are moving so fast to adopt AI that privacy safeguards aren’t keeping pace.

What readers can do

You don’t have to avoid necessary scans to protect your privacy. But you can take a few simple steps:

• Ask your provider about data sharing. Before an imaging exam, ask: “Will my images be used for AI training? If so, can I opt out?” Many facilities have a policy but won’t volunteer it.
• Request information on data storage and encryption. How long are your images kept? Are they stored in a secure, encrypted system? PACS vendors vary widely in security practices.
• Check for opt-out forms. Some hospitals require you to sign a separate consent form for your data to be used in research or product development. Read it carefully. If you decline, your care shouldn’t be affected.
• Know your rights under HIPAA. You have the right to request an accounting of disclosures for certain purposes. You can also ask for restrictions on how your data is used—though providers aren’t always required to agree.
• If you’re in the EU, exercise GDPR rights. You can request deletion of your data from training sets in some cases, though enforcement is uneven.

Regulators and professional bodies are starting to address these gaps. RSNA has called for clearer consent frameworks and better technical safeguards. But systematic change takes time. Until then, the quickest protection is to be an informed patient.

Sources

• “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks,” Radiological Society of North America (RSNA), May 2026.
• RSNA 2025 Technical Exhibits — Largest Radiology AI Showcase, RSNA, September 2025.
• Reports of PACS data breaches from HIPAA Journal and other industry watchdogs (2024–2025).
• Research on re-identification risks in medical imaging, published at RSNA 2025 and in radiology journals.