Matching CT image data with patient photos, FBI researchers caution on privacy

Facial images extracted from publicly available radiology scans—think of head CT scans stored in open-access medical image repositories for research and education—are fairly easy to match with patients’ photos, raising concerns over privacy.

That’s according to a study conducted by Connie Parks, MA, and Keith Monson, PhD, both of the Counterterrorism and Forensic Science Research Unit at the Federal Bureau of Investigation.

Their findings are running in the April edition of the Journal of Digital Imaging.

The test subjects were 128 adult Americans ranging in age from 18 to 60 years, according to the study abstract. The cohort represented both sexes and three self-identified ancestral-descent groups: African, European and Hispanic.

Using facial recognition software, Parks and Monson compared 2D images of the extracted facial models for matches against five differently sized photo galleries.

Depending on the scanning protocol and gallery size, in 6 percent to 61 percent of the cases, a correct life photo match for a CT-derived facial image was the top-ranked image in the generated candidate lists. This held even when the researchers performed blind searches of more than 100,000 images.

In 31 percent to 91 percent of the cases, they located a correct match within the top 50 images.

Few significant differences (p > 0.05) in match rates were observed between the sexes or across the three age cohorts, the authors report.

However, they observed highly significant differences—p < 0.01—across the three ancestral cohorts and between the two CT scanning protocols.

From these results, Parks and Monson conclude that the probability of a match between a facial image extracted from a medical scan and a photograph of the same individual is “moderately high.”

“The facial image data inherent in commonly employed medical imaging modalities may need consideration as a potentially identifiable form of ‘comparable’ facial imagery,” they write, adding that this data may need to be “protected as such under patient privacy legislation.”