The overlooked privacy risk in sharing obstetric images
Parents will share their baby's first scan, and they should. The risk that gets missed sits somewhere else entirely: on the image itself, and on who put it there.
A first ultrasound is one of the most shared images a family will ever own. The moment they walk out of the clinic, that grainy little profile is heading to a group chat, then a grandparent's phone, then, very often, a public post. It's beautiful, it's human, and it's completely unstoppable. Nor should anyone want to stop it.
But a raw scan straight off the machine isn't just a picture of a baby. Burned right into the image, in the corner where nobody's really looking, is the patient's name, date of birth and medical record number. When that scan gets shared, all of it goes along for the ride, screenshotted, re-posted and indexed, far beyond anywhere the clinic can reach.
It's worth being precise about who the risk belongs to. Sharing a baby scan is wonderful, and it is unambiguously the patient's right. These are their images, their memories, their choice. The overlooked part is that the clinic decided what was printed on them. And a medical record number, in particular, is the clinic's own internal key, a reference designed for the practice's systems, not something the patient has any reason to broadcast, or even to know they're broadcasting.
Why this is a system responsibility, not a patient failing
It's tempting to file this under "patients need to be more careful." That framing is both unkind and wrong. Patients have every right to their own images, and no expectant mother should have to think about DICOM metadata before she sends her mum a photo. The responsibility for what is on the image sits with the organisation that produced it.
This isn't a fringe opinion, either. It's the direction every major privacy framework is already pointing. The through-line of GDPR in Europe, HIPAA in the US and New Zealand's Privacy Act 2020 is the same: data minimisation and privacy by design. Don't expose more identifiable information than a task actually requires. Sharing a keepsake image of a baby does not require the mother's MRN to be visible to the internet. So don't put it there.
The cleanest way to think about it isn't as a legal threat. It's ordinary good practice. Removing identifiers you never needed to share is the obvious precaution, the kind a careful clinic takes as a matter of course. And if something ever does go wrong, you want to be the practice that quietly did the obvious thing beforehand, rather than the one explaining why a patient's record number ended up on a public feed.
What good looks like
The good news is that protecting patients here doesn't mean protecting them from sharing. It means making the thing they're going to share safe, and ideally giving them something even nicer to share than a raw clinical frame. In practice, that looks like a handful of small, deliberate steps:
- De-identify before delivery. Strip the burned-in name, DOB and MRN (and the PHI in the image's header) before the file ever leaves the clinic, not after.
- Brand it. Replace the raw medical frame with a clean, branded keepsake, so what spreads on social media reflects well on your practice.
- Give patients something safe and shareable. The safest image and the most shareable image can be the same image. Done right, privacy and delight aren't a trade-off.
None of this asks anything of the patient. It doesn't slow the moment down, add an app, or turn a happy handover into a privacy lecture. It removes the exposure the patient never chose and never needed, quietly, before the image is theirs to share however they like.
The fix, and why it can be automatic
This is exactly the problem PACSBridge was built to solve. Studies land from your ultrasound machine as a standard DICOM destination, and PACSBridge automatically de-identifies and brands every image before it reaches the patient. No manual editing, no extra clicks in the moment, no patient data stored on our side. What arrives on the family's phone is a clean, branded keepsake that's safe to share far and wide. What stays behind, on the raw scan, is the clinic's business alone.
The parents get the joyful, unstoppable share they were always going to make. The practice gets the reassurance of having taken the obvious precaution. And the medical record number stays exactly where it belongs, inside your systems, not on the internet.
See how the de-identification actually works
Take a proper look at the privacy model behind PACSBridge, or see it running end to end on a live scan.