Multiple peer-reviewed studies have found that AI-generated fake medical images, including X-rays and mammograms, can deceive both trained radiologists and diagnostic algorithms. The findings span several imaging types, from knee and chest X-rays to mammograms and CT scans, and they expose a blind spot in how the medical system verifies the authenticity of diagnostic images. As hospitals and clinics adopt AI-assisted reading tools at a growing pace, the inability of human experts and machines alike to reliably distinguish real scans from synthetic ones raises serious questions about patient safety and data integrity.
Fake Mammograms Fooled AI and Specialists
A reader study published in a Nature Communications journal tested whether generative adversarial network (GAN) images could trick both an AI diagnosis model and specialist radiologists. The results were stark. The AI model was fooled by a majority of adversarial mammogram images presented in the experiment. Radiologists fared unevenly, with their ability to identify fakes varying widely across the group. Some clinicians caught most of the synthetic images, while others performed little better than guessing.
That variation matters because it suggests the problem is not simply one of image quality. Radiologists bring different levels of experience, attention, and familiarity with digital artifacts to the task. A University of Pittsburgh news release referencing the same Nature Communications paper framed the results as evidence that cancer-spotting AI and human experts can both be fooled by image-tampering attacks. If adversarial images can flip a diagnostic outcome from negative to positive or vice versa, the downstream consequences for treatment decisions are immediate and tangible, ranging from unnecessary biopsies to missed early-stage cancers.
Knee X-ray Fakes Performed at Chance Level
The vulnerability extends well beyond breast imaging. A separate peer-reviewed study tested GAN-generated deepfake knee osteoarthritis scans on a panel of radiologists and orthopedic surgeons. Specialists were asked to classify images as real or synthetic. For some groups, performance was near chance, meaning the experts were essentially flipping a coin. That result is particularly troubling because knee osteoarthritis imaging is routine and high-volume, and a corrupted dataset could distort clinical research or insurance assessments at scale.
The study also noted that GAN-generated images hold augmentation potential for training automatic classification systems. This dual-use tension sits at the heart of the deepfake imaging debate. The same technology that can improve AI training datasets by filling gaps in rare conditions can also produce convincing forgeries. Without strict provenance controls, synthetic images intended to strengthen algorithms could leak into clinical workflows or research repositories without clear labeling.
Chest X-rays and the Image Turing Test
Chest radiographs, one of the most commonly ordered imaging studies worldwide, face the same threat. A study published in a Scientific Reports article used a progressive growing GAN to generate synthetic chest X-rays and then subjected them to an “Image Turing test” with radiologists. The assessment documented how often clinicians could correctly distinguish real chest radiographs from GAN-generated fakes, and the results confirmed that synthetic images have reached a level of realism that challenges expert judgment.
On the AI side, a preprint described a framework called CoRPA that uses concept vector perturbations to generate adversarial chest X-ray images specifically designed to bypass model-based classifiers. While that work did not include a full radiologist reader study, it demonstrated that targeted perturbations can reliably fool automated diagnostic tools. Taken together, these findings show that neither the human nor the machine side of radiology has a reliable defense against well-crafted fakes, especially when attacks are tailored to specific model weaknesses.
Training-Stage Attacks Corrupt AI Over Time
Not all attacks happen at the point of diagnosis. A separate line of research published in another Scientific Reports paper showed that chest X-ray deep learning pipelines can be compromised at the training stage through gradual data poisoning. By slowly introducing corrupted data into a model’s training set, attackers can shift the model’s behavior over time without triggering obvious alarms. This type of attack is harder to detect than a single fake image because it degrades performance incrementally rather than producing a single dramatic failure.
A review article in Clinical Radiology cataloged the full range of adversarial attack types targeting radiology AI, including image perturbations, DICOM metadata manipulation, and text-based attacks on report generation systems. The breadth of the attack surface is wider than most clinicians realize, and the review noted that current defenses remain limited relative to the sophistication of available attack methods. In particular, many proposed defenses are evaluated on narrow test sets, leaving open questions about how they perform against adaptive adversaries in real-world hospital environments.
3D Scans and Realistic Tampering
The threat is not confined to two-dimensional images. Research on CT-GAN, later published at the USENIX Security Symposium, demonstrated that convincingly tampered 3D scans can add or remove signs of disease from CT imagery. Three expert radiologists and a state-of-the-art AI system were both highly susceptible to the attack. The authors also described a realistic attack vector involving the interception and manipulation of scans as they move through hospital networks, a scenario that does not require physical access to imaging equipment but instead exploits vulnerabilities in picture archiving and communication systems.
Meanwhile, a preprint describing a model called RoentMod reported that anatomically realistic chest X-ray edits achieved high rates of being rated realistic by radiologists and residents, along with correct incorporation of specified pathological findings. While the researchers positioned their work as a tool for identifying and correcting AI model shortcuts, the same capability could be repurposed to produce targeted medical image forgeries. A system that can insert a subtle lung nodule or erase a small hemorrhage on demand effectively gives attackers fine-grained control over clinical narratives embedded in images.
Why Detection Alone Is Not Enough
These studies collectively suggest that relying on detection alone is a losing strategy. As generative models improve, the gap between authentic and synthetic images narrows, and human perception is unlikely to keep pace. Automated detectors, meanwhile, face an arms race dynamic. Once their signatures are known, attackers can adapt their generation methods to evade them. In practice, this means that even if hospitals deploy detectors at image ingestion, sophisticated adversaries may still slip through, particularly when they target specific workflows or institutions.
Instead, experts argue for a layered approach that emphasizes provenance, infrastructure security, and governance. One layer is cryptographic signing of images at the point of acquisition, so that any subsequent tampering breaks the signature. Another is strict control over training data pipelines, including versioned datasets, access logging, and periodic audits to detect distribution shifts that might signal poisoning. At the organizational level, hospitals and research centers can treat imaging networks as critical infrastructure, segmenting systems and monitoring traffic for anomalies rather than assuming that internal networks are inherently trustworthy.
Building More Resilient Medical Imaging Systems
Medical institutions already manage large collections of imaging data through platforms such as national biomedical repositories, and individual researchers often curate their own libraries via tools like personalized NCBI dashboards. As synthetic imaging becomes more prevalent, these repositories will need clearer policies on labeling, storing, and sharing AI-generated content. Explicit metadata tags for synthetic or edited images, coupled with access controls and usage agreements, could help prevent accidental mixing of real and fake data in clinical studies.
On the technical side, researchers are exploring robust training methods that make models less sensitive to small perturbations, as well as anomaly detection systems that flag images inconsistent with expected anatomical patterns or acquisition parameters. However, these techniques are still maturing, and their effectiveness against adaptive, high-quality deepfakes remains uncertain. In the meantime, radiology departments can adopt practical steps such as tightening user permissions on image archives, monitoring for unusual bulk downloads, and incorporating basic security awareness into continuing medical education.
The emerging consensus from the literature is that deepfake medical images are not a speculative future risk but a present-day capability that challenges long-standing assumptions about trust in diagnostic imaging. As generative models continue to advance, the line between real and synthetic scans will only blur further. Protecting patients will require not just better algorithms, but a rethinking of how medical images are created, transmitted, stored, and interpreted, treating authenticity as a core clinical attribute rather than an afterthought.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
