Your Medical Scans Could Train AI: What to Know About Privacy Risks

Artificial intelligence is making its way into radiology departments faster than many patients realize. Algorithms now help radiologists spot fractures, measure tumors, and flag suspicious findings in CT scans, MRIs, and X-rays. But behind that improved detection lies a less-discussed trade-off: your medical images may end up being used to train those AI systems—sometimes without your explicit consent.

Recent discussions at the Radiological Society of North America (RSNA) have underscored how medical imaging AI opens up significant privacy concerns, prompting radiologists and ethicists to ask hard questions about patient data use.

What Happened

At the 2025 RSNA annual meeting, researchers and clinicians presented a session titled “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” The talk reviewed how AI development depends on massive collections of medical images—often pulled from hospital archives, research databases, and third-party repositories. These datasets can include tens of thousands of patient scans, along with associated metadata such as age, sex, imaging protocol, and sometimes more sensitive information like genetic markers or clinical notes.

The central problem is that even when images are “de-identified”—meaning names, dates, and ID numbers are stripped—it is often still possible to re-identify a patient. Facial features can be reconstructed from head CTs or MRIs. Implant serial numbers may appear in scans. And linking image data with other public health databases can pinpoint individuals. The RSNA presenters noted that current de-identification practices are not foolproof and that the risk of data leakage grows as more datasets are shared for AI research.

Why It Matters

For patients, the stakes are personal. Medical images reveal deeply private information—not just about anatomy, but about health history, mental health condition (brain scans), and even reproductive status (pelvic imaging). If a scan is re-identified and leaked, the consequences can include insurance discrimination, employer bias, or social stigma. Unlike a credit card number, you cannot change your medical history.

Moreover, consent models for AI training are often vague. When a patient signs a standard consent form for a scan, it typically covers diagnosis and treatment—not AI research. Many hospitals use a broad “opt-out” model, meaning your data is used unless you specifically ask to be excluded. But most patients are never told that option exists. A 2023 study found that fewer than 10% of patients were aware that their imaging data could be used for machine learning training.

Additionally, data breaches are a real concern. Healthcare systems have become frequent targets for ransomware and data theft. If a hospital’s training dataset is compromised, thousands of patient scans could be exposed in one incident. The RSNA session highlighted that most healthcare organizations do not have data governance policies specifically tailored to AI training datasets.

What You Can Do

While you cannot completely control how hospitals handle your data, there are practical steps you can take:

Ask Before You Scan

When your doctor orders an imaging exam, ask the radiology department: “Will my images be used for AI research or training? Can I opt out?” Many hospitals are required to inform you and provide a choice, but they rarely volunteer this information. Making the request puts your preference on record.

Consent forms for imaging procedures sometimes include a checkbox about data use for research. Read that section. If it is not clear, ask for clarification before signing. In some cases, you may be offered an “opt-out” form separate from the main consent.

Know Your Rights Under HIPAA

Under the HIPAA Privacy Rule, healthcare providers must give you a Notice of Privacy Practices that describes how your health information may be used, including for research. If you object to uses beyond your treatment, you have the right to request restrictions, though providers are not always required to agree. Still, it is worth making your objection known in writing.

Consider Data Sharing Programs

Some large academic hospitals let you manage your data sharing preferences through patient portals. Look for settings under “Research Participation” or “Data Use.” If such a portal exists, you can set your preference to “Do not share for AI training” or “Opt out of research use.”

Stay Informed

Privacy protections for medical AI are still evolving. The RSNA has called for clearer national guidelines on data de-identification, audit trails, and patient consent. Follow developments from professional societies, the Office for Civil Rights, and privacy advocacy groups. Public pressure can help shape better rules.

Sources

  • Radiological Society of North America. “Medical Imaging AI Opens a Pandora’s Box of Privacy-Related Risks.” RSNA Annual Meeting, 2025.
  • Office for Civil Rights, U.S. Department of Health and Human Services. “HIPAA Privacy Rule and Research.”
  • Centers for Disease Control and Prevention. “De-identification of Protected Health Information.”
  • Gichoya, J. W. et al. “AI in Radiology: Patient Privacy and Data Governance.” Journal of the American College of Radiology, 2023.

The tension between faster diagnoses and patient privacy will not disappear anytime soon. But understanding how your scans could be used—and knowing how to assert your preferences—can help you make informed decisions about your own health data.