Disparate Privacy Risks from Medical AI - An Investigation into Patient-level Privacy Risk

Traditional methods of measuring membership inference attack (MIA) performance rely on aggregate success metrics (e.g., a single ROC curve across all training records). This approach is a poor indicator of individual patient privacy risk. The study demonstrates that even if aggregate AUC is low (e.g., 0.7), certain individual patient records can have near-perfect MIA AUC (e.g., 0.975), meaning their inclusion in the training data can be inferred with high confidence.

The speaker shows an empirical survival function plot (20:32) where aggregate AUC values (in brackets in the legend) are low, while the curves show that a small but significant number of patients have very high MIA AUCs (e.g., 1 in 10,000 patients having an AUC of 0.975 for Fitzpatrick data set).

Patient records most vulnerable to membership inference attacks are often atypical, contain imaging artifacts, or are mislabeled. Examples include chest X-rays with compression artifacts or incorrect support device labels, mammograms with poor image quality or magnification devices, and dermatology images containing histopathology slides or no skin.

Visual examples are provided for Checkpert (chest X-rays) showing atypical images like rotated scans or missing labels (23:32). For Embed (mammograms), images with magnification devices or where the breast is barely visible are shown (24:42). For Fitzpatrick 17K (dermatology), histopathology images incorrectly included in the dataset and images without skin are highlighted (25:00).

As medical AI models increase in size and diagnostic performance, the proportion of patients with high individual privacy risk (near-perfect MIA AUC) increases exponentially. A Vision Transformer, pre-trained on natural images, showed significantly higher individual patient vulnerability compared to smaller Wide ResNet models, even if its aggregate MIA AUC was only moderately higher.

For the Fitzpatrick 17K dataset, a Wide ResNet 282 shows 1 in 10,000 patients with high attack AUC, a Wide ResNet 285 shows 1 in 1,000, and a Vision Transformer (VIT) shows more than 1 in 10 patients with near-perfect attack AUC (27:10). The VIT's aggregate AUC was 0.7, but its individual risk was far higher.

Privacy risk is not uniformly distributed across patient demographics. The study found a moderate to strong negative correlation between group size and Pearson residual, indicating that smaller, minority patient groups are disproportionately over-represented among the most vulnerable records (99th risk percentile). This suggests that AI models may implicitly learn and exploit information related to demographic subgroups, even when such information is not physiologically apparent to humans.

G-squared tests show significant differences in privacy risk across sexes, races, and ethnicities for Mimic CXR and Embed datasets (35:31). A meta-analysis plot of group size vs. Pearson residual shows a negative correlation (38:00), indicating minorities are more affected. The speaker notes that for chest radiographs and mammograms, there are no known physiological differences between races that doctors can discern, yet AI models show disparate privacy risks.