DeepfakeA synthetic image, video, or audio created using artificial intelligence to replace a person's likeness with someone else's, often making it difficult to distinguish from authentic content. medical images have crossed a critical threshold. A March 2026 study published in Radiology[s] found that AI-generated X-rays are now realistic enough to fool both radiologists and the AI systems designed to help them. When doctors did not know fake images were mixed in, fewer than half spotted them. Even when warned, their accuracy only reached 75%.
This is not a theoretical risk. The technology to create deepfake medical images is now accessible to anyone with a ChatGPT subscription. And the infrastructure meant to store and share medical scans has security gaps that have persisted for decades.
Deepfake Medical Images: What the Study Found
Seventeen radiologists from 12 institutions across six countries[s] were shown 264 X-ray images. Half were real clinical scans. The other half were generated by AI, some by ChatGPT (GPT-4o) and others by RoentGen, an open-source model developed at Stanford.
In the first phase, radiologists were not told the study involved fakes. They were simply asked to assess image quality and note anything unusual. Only 41% raised concerns that AI-generated images might be present. The rest saw nothing wrong.
In the second phase, radiologists were told that some images were synthetic and asked to sort real from fake. Their average accuracy was 75%, meaning one in four deepfake medical images still slipped through. Individual scores ranged from 58% to 92%. Years of experience made no difference. A first-year resident performed roughly as well as a veteran with four decades in the field.
AI models did not fare much better. Four large language modelsA machine learning system trained on vast amounts of text that predicts and generates human language. These systems like GPT and Claude exhibit surprising capabilities but also make confident errors. (GPT-4o, GPT-5, Gemini 2.5 Pro, and Llama 4 Maverick) were tested on the same images. Their accuracy ranged from 57% to 85%[s]. Even GPT-4o, the model that created the fakes, could not reliably identify its own output.
Why This Matters for Patients
When radiologists were asked to diagnose conditions shown in the images, their diagnostic accuracy was 92.4% for the AI-generated X-rays[s], nearly identical to the 91.3% for real scans. In other words, doctors not only believed the fakes were real; they confidently diagnosed medical conditions in images that depicted no actual patient.
The implications cut two ways. A fabricated fracture image could support a fraudulent insurance claim or lawsuit. A manipulated scan showing a clear lung could hide real cancer. “This creates a high-stakes vulnerability for fraudulent litigation if, for example, a fabricated fracture could be indistinguishable from a real one,” said lead author Mickael Tordjman[s], a radiologist at Mount Sinai in New York.
The Barrier to Entry Has Collapsed
What makes this moment different is accessibility. Earlier deepfake medical images required specialized machine learning expertise. In 2019, researchers at Ben-Gurion University demonstrated CT-GAN[s], a system that could inject or remove tumors from 3D CT scans. That attack fooled radiologists 99% of the time, but building it required training custom neural networks on medical data.
Today, generating anatomically plausible radiographsA medical image produced by electromagnetic radiation, commonly called an X-ray, used by doctors to view internal body structures for diagnostic purposes. requires nothing more than a plain-language prompt[s] to a commercial chatbot. The technical barrier has effectively disappeared.
Hospital Networks Are Not Ready
The medical imaging infrastructure itself compounds the problem. DICOMDigital Imaging and Communications in Medicine, the global standard protocol for storing, transmitting, and sharing medical images between healthcare systems and devices., the standard protocol for storing and sharing scans, was designed for interoperabilityThe ability of military forces or equipment from different nations to function together seamlessly in joint operations., not security. A 2023 investigation by cybersecurity firm Aplite[s] found more than 3,800 DICOM servers exposed to the open internet across 110 countries, leaking data on 16 million patients. Fewer than 1% of those servers used effective security measures.
The 2019 CT-GAN researchers demonstrated one practical attack vector[s]: with permission, they penetrated a real hospital network and intercepted every scan taken by a CT machine. Internal hospital networks often transmit scans without encryption because they were historically not connected to the internet. That assumption is increasingly outdated.
What Can Be Done
Researchers recommend a layered defense. Proposed safeguards include invisible watermarks[s] embedded in images at the moment of capture and cryptographic signatures tied to the technologist who took the scan. These would create a chain of custody that makes post-capture tampering detectable.
“We are potentially only seeing the tip of the iceberg,” Tordjman warned[s]. “The logical next step in this evolution is AI-generation of synthetic 3D images, such as CT and MRI. Establishing educational datasets and detection tools now is critical.” The study team has published a curated deepfake dataset with interactive quizzes[s] to help train radiologists.
Image-integrity specialist Elisabeth Bik put it plainly: “This raises concerns not only for research integrity, but also for clinical workflows, insurance claims and legal contexts where imaging evidence is used.”[s]
The telltale signs exist, for now. Deepfake medical images often look “too perfect,” with overly smooth bones, unnaturally straight spines, and fracture lines that are suspiciously clean. But as the models improve, even those clues will fade.
A multi-center study published in Radiology in March 2026[s] quantifies what the imaging community has feared: deepfakeA synthetic image, video, or audio created using artificial intelligence to replace a person's likeness with someone else's, often making it difficult to distinguish from authentic content. medical images generated by commercially available large language modelsA machine learning system trained on vast amounts of text that predicts and generates human language. These systems like GPT and Claude exhibit surprising capabilities but also make confident errors. are now indistinguishable from authentic radiographsA medical image produced by electromagnetic radiation, commonly called an X-ray, used by doctors to view internal body structures for diagnostic purposes. at clinically relevant rates. Neither human readers nor multimodal LLMs achieved reliable discrimination, and the technical barrier to producing these fakes has dropped to near zero.
Deepfake Medical Images: Study Design and Results
The retrospective diagnostic accuracy study[s], conducted between April and August 2025, enrolled 17 radiologists from 12 institutions across six countries, with experience ranging from 0 to 40 years. They evaluated two non-overlapping datasets comprising 264 total images.
Dataset 1 contained 77 authentic radiographs paired with 77 synthetic images generated by GPT-4o across multiple anatomical regions (chest, extremities, spine). Dataset 2 contained 55 authentic chest radiographs and 55 synthetic chest X-rays produced by RoentGen, a latent diffusion modelAn AI model that generates images or video by learning to gradually remove noise from random data. It produces highly realistic synthetic media and underlies tools like Stable Diffusion. fine-tuned on chest radiographs[s] developed by Stanford Medicine researchers.
The study ran in three phases. In phase 1, radiologists, blinded to the study’s purpose, assessed image quality on a Likert scale and provided diagnoses. Only 41% (7 of 17) spontaneously noted that AI-generated images might be present. Diagnostic accuracy was 91.3% for authentic radiographs and 92.4% for synthetic ones[s], confirming that deepfake medical images were not only visually convincing but diagnostically coherent.
In phase 2, informed that synthetic images were present, radiologists achieved a mean accuracy of 75% (95% CI: 68-81%) on the GPT-4o dataset. Individual performance ranged from 58% to 92%. Pooled sensitivity was 69.1% and specificity 80.4%. In phase 3, accuracy on the RoentGen dataset was 70% (95% CI: 62-78%), with no statistically significant difference from the GPT-4o performance (P = .07).
No correlation was found between years of experience and detection accuracy.[s] Musculoskeletal radiologists significantly outperformed other subspecialists, likely because bone morphology provides more discrete structural cues than soft-tissue patterns.
LLM Performance as Discriminators
Four multimodal LLMs were evaluated on the same classification task. GPT-4o achieved 85% accuracy on its own synthetic images[s] and 75.5% on RoentGen images. GPT-5 scored 82.5% and 89.1% respectively. Llama 4 Maverick (59%, 52%) and Gemini 2.5 Pro (56%, 57%) performed substantially worse, in some cases near chance level. The difference between OpenAI models and competitors was statistically significant (all P < .001).
The fact that GPT-4o could not reliably identify its own output is significant. It suggests that the generation process does not embed easily recoverable artifacts: the model generates from the same learned distribution of radiographic features, making discrimination a fundamentally harder problem than generation.
From GANs to LLMs: The Accessibility Inflection Point
The current study represents an inflection point in the evolution of deepfake medical images. Generative AI in medical imaging has evolved from GANs to diffusion-based models[s], and now to general-purpose LLMs that accept plain-language prompts. Each generation lowered the expertise required.
The 2019 CT-GAN framework from Ben-Gurion University demonstrated the threat in volumetric imaging. Mirsky et al. used a 3D conditional GAN to inject and remove lung cancer from CT scans[s], achieving manipulations that executed in milliseconds and fooled radiologists in a blinded evaluation. Three radiologists misdiagnosed 99% of scans with injected tumors and 94% of those with tumors removed.[s] Even after being told about the tampering, misdiagnosis rates remained at 60% and 87% respectively.
But CT-GAN required training custom cGAN architectures on curated medical datasets, a non-trivial pipeline. The 2026 study shows that comparable 2D deception is now achievable through a commercial API call. The attack surfaceThe total set of points in a system where an attacker can attempt to enter, extract data, or cause damage. has expanded from state-level actors and well-funded adversaries to essentially anyone.
Infrastructure Vulnerabilities: DICOMDigital Imaging and Communications in Medicine, the global standard protocol for storing, transmitting, and sharing medical images between healthcare systems and devices. and PACSPicture Archiving and Communication Systems, computer networks that store, retrieve, and distribute medical images like X-rays and CT scans throughout healthcare facilities.
The imaging infrastructure itself remains poorly defended. DICOM (Digital Imaging and Communications in Medicine), the universal standard for medical image storage and transmission, was designed for interoperabilityThe ability of military forces or equipment from different nations to function together seamlessly in joint operations., not security[s]. PACS (Picture Archiving and Communication Systems) servers frequently operate with minimal authentication and unencrypted internal communications.
A 2023 audit by Aplite presented at Black Hat Europe[s] identified over 3,800 exposed DICOM servers across 110+ countries, with 16 million patient records and 43 million health records accessible from the open internet. Fewer than 1% implemented effective security measures. The researchers also demonstrated a new attack vector for tampering with data within existing medical images on these exposed systems.
The CT-GAN team demonstrated a man-in-the-middle interception attack on a live hospital network[s], capturing every scan from a CT machine. Internal radiology networks historically assumed air-gapping from the internet, but cloud migration and remote access requirements have eroded that assumption.
Mitigation Strategies
The study authors propose a multi-layered defense[s]: invisible watermarks embedded at image acquisition, technologist-linked cryptographic signatures attached at capture, PACS audit logging for record access patterns, and anomaly detection for unusual record modifications.
The radiologists in the study identified several morphological tells in current-generation deepfake medical images: bilateral symmetry artifacts, uniform noise patterns (lacking the spatially varying noise of real detector hardware), overly smooth bone cortex, unnaturally regular vertebral alignmentIn AI safety, the process of ensuring an AI system's goals and behaviors match human values and intentions. Poor alignment can cause AI systems to optimize for measurable metrics in ways that contradict human interests., and fracture lines that appear “too clean,” often affecting only one cortical surface rather than propagating through the full bone cross-section.
However, these signatures are model-specific and will likely diminish as generative architectures improve. “We are potentially only seeing the tip of the iceberg,” Tordjman noted[s]. “The logical next step in this evolution is AI-generation of synthetic 3D images, such as CT and MRI.”
Elisabeth Bik, an image-integrity specialist, called the findings “both disturbing and not very surprising,”[s] noting the implications extend beyond clinical practice to “research integrity, insurance claims and legal contexts where imaging evidence is used.” The study team has released a curated educational dataset at noneedanick.github.io/DeepFakeXRay[s] to train clinicians on detection.
The fundamental challenge is asymmetric: generating a convincing deepfake is computationally cheap and getting cheaper. Detecting one requires either cryptographic provenance (which demands infrastructure overhaul) or visual forensics (which the study shows is unreliable even among experts). The window for proactive defense is narrowing.
