This work addresses the risk of sensitive medical image leakage via deep learning model export from healthcare data lakes. We propose a novel image-compression-based data exfiltration attack that reconstructs confidential CT and MR images solely from exported model parameters—without requiring auxiliary training data, target samples, or task-specific knowledge. By stealthily encoding losslessly or lossily compressed medical images into model weights and leveraging high-fidelity reconstruction techniques, the attack achieves high-accuracy image recovery. Experiments demonstrate its effectiveness across diverse compression ratios and show moderate robustness against differential privacy. To counter this threat, we design a lightweight model fine-tuning defense that significantly degrades reconstruction quality while preserving model utility, offering a practical, deployable solution for secure model sharing in clinical settings.

With the rapid expansion of data lakes storing health data and hosting AI algorithms, a prominent concern arises: how safe is it to export machine learning models from these data lakes? In particular, deep network models, widely used for health data processing, encode information from their training dataset, potentially leading to the leakage of sensitive information upon its export. This paper thoroughly examines this issue in the context of medical imaging data and introduces a novel data exfiltration attack based on image compression techniques. This attack, termed Data Exfiltration by Compression, requires only access to a data lake and is based on lossless or lossy image compression methods. Unlike previous data exfiltration attacks, it is compatible with any image processing task and depends solely on an exported network model without requiring any additional information to be collected during the training process. We explore various scenarios, and techniques to limit the size of the exported model and conceal the compression codes within the network. Using two public datasets of CT and MR images, we demonstrate that this attack can effectively steal medical images and reconstruct them outside the data lake with high fidelity, achieving an optimal balance between compression and reconstruction quality. Additionally, we investigate the impact of basic differential privacy measures, such as adding Gaussian noise to the model parameters, to prevent the Data Exfiltration by Compression Attack. We also show how the attacker can make their attack resilient to differential privacy at the expense of decreasing the number of stolen images. Lastly, we propose an alternative prevention strategy by fine-tuning the model to be exported.