Federated Learning in Radiology Reports Faces Significant Privacy Leakage

Santhosh Parampottupadam, Andres Martinez, Dimitrios Bounias, Sinem Sav, Klaus Maier-Hein, Ralf Floca· July 17, 2026 View original

Summary

This study reveals substantial privacy leakage in federated learning for radiology reports, where sensitive information can be reconstructed from shared model updates. It also shows that tokenizer design significantly influences the severity of this leakage.

Federated learning (FL) is a promising technology for training AI models on sensitive clinical data, like radiology reports, without directly sharing raw patient information across institutions. However, concerns exist about potential privacy breaches, specifically through gradient inversion attacks, where malicious actors could reconstruct original data from the shared model updates. The extent of this risk, particularly in radiology reports and the role of tokenizer choices, has been unclear. Researchers conducted a comparative evaluation to quantify this privacy risk. They trained GPT-2-style transformers on public radiology corpora using FL, testing three different tokenizers (GPT-2, RadBERT, LLaMA-2) and varying batch sizes. An active malicious server was simulated to perform analytic gradient inversion, attempting to reconstruct the original text. The findings indicate significant privacy leakage, with exact sentence reconstruction rates ranging from 31% to 44% across different tokenizers, datasets, and batch sizes. Even at larger batch sizes, substantial portions of report text were recoverable. RadBERT, a domain-specific tokenizer, showed the highest reconstruction fidelity and recovered more clinical terms. This research underscores that tokenizer design is a critical privacy-relevant decision, not just a utility one, and suggests that additional safeguards like secure aggregation and differential privacy are essential for FL in healthcare to meet regulatory requirements like HIPAA and GDPR.

Why it matters

Healthcare organizations and AI developers deploying federated learning for sensitive medical data must be aware of these privacy vulnerabilities and implement robust safeguards to comply with regulations and protect patient information.

How to implement this in your domain

  1. 1Conduct a thorough privacy risk assessment for any federated learning implementation involving sensitive data.
  2. 2Evaluate the privacy implications of different tokenizer choices in your NLP models.
  3. 3Integrate privacy-enhancing technologies like secure aggregation or differential privacy into your FL pipelines.
  4. 4Stay updated on the latest research regarding gradient inversion attacks and privacy leakage in FL.
  5. 5Consult with legal and compliance experts to ensure FL deployments meet HIPAA, GDPR, and other relevant data protection standards.

Who benefits

HealthcarePharmaceuticalsMedical DevicesResearch & DevelopmentData Security

Key takeaways

  • Federated learning in radiology reports is vulnerable to significant privacy leakage.
  • Gradient inversion attacks can reconstruct sensitive text from shared model updates.
  • Tokenizer choice critically impacts the severity of privacy leakage.
  • Additional privacy safeguards are essential for FL in healthcare to meet regulatory compliance.

Original post by Santhosh Parampottupadam, Andres Martinez, Dimitrios Bounias, Sinem Sav, Klaus Maier-Hein, Ralf Floca

"arXiv:2607.14205v1 Announce Type: new Abstract: Federated learning (FL) enables multi-institutional training on clinical text without sharing raw data, but gradient inversion can reconstruct sensitive information from shared model updates. The extent of this leakage for radiology…"

View on X

Originally posted by Santhosh Parampottupadam, Andres Martinez, Dimitrios Bounias, Sinem Sav, Klaus Maier-Hein, Ralf Floca on X · view source

Want to go deeper?

Turn these trends into skills with Learnijoy's hands-on AI & tech courses.

Explore courses

More in AI Research