Explore our sister journals here.

Maintenance Notice

Due to necessary scheduled maintenance, the JMIR Publications website will be unavailable from Wednesday, July 01, 2020 at 8:00 PM to 10:00 PM EST. We apologize in advance for any inconvenience this may cause you.

Who will be affected?

Currently submitted to: JMIR Medical Informatics

Date Submitted: Nov 24, 2025
Open Peer Review Period: Dec 3, 2025 - Jan 28, 2026
(closed for review but you can still tweet)

NOTE: This is an unreviewed Preprint

Warning: This is a unreviewed preprint (What is a preprint?). Readers are warned that the document has not been peer-reviewed by expert/patient reviewers or an academic editor, may contain misleading claims, and is likely to undergo changes before final publication, if accepted, or may have been rejected/withdrawn (a note "no longer under consideration" will appear above).

Peer review me: Readers with interest and expertise are encouraged to sign up as peer-reviewer, if the paper is within an open peer-review period (in this case, a "Peer Review Me" button to sign up as reviewer is displayed above). All preprints currently open for review are listed here. Outside of the formal open peer-review period we encourage you to tweet about the preprint.

Citation: Please cite this preprint only for review purposes or for grant applications and CVs (if you are the author).

Final version: If our system detects a final peer-reviewed "version of record" (VoR) published in any journal, a link to that VoR will appear below. Readers are then encourage to cite the VoR instead of this preprint.

Settings: If you are the author, you can login and change the preprint display settings, but the preprint URL/DOI is supposed to be stable and citable, so it should not be removed once posted.

Submit: To post your own preprint, simply submit to any JMIR journal, and choose the appropriate settings to expose your submitted version as preprint.

Warning: This is an author submission that is not peer-reviewed or edited. Preprints - unless they show as "accepted" - should not be relied on to guide clinical practice or health-related behavior and should not be reported in news media as established information.

Privacy Leakage in Federated Learning in Radiology Reports: A Comparative Evaluation of Tokenizer-Driven Privacy Risks

  • Santhosh Parampottupadam; 
  • Andrés Martínez; 
  • Dimitrios Bounias; 
  • Sinem Sav; 
  • Klaus Maier-Hein; 
  • Ralf Floca

ABSTRACT

Background:

Federated learning (FL) enables multi-institutional model training on clinical text without sharing raw data; however, gradient inversion methods can reconstruct sensitive information from shared model updates. The extent of such privacy leakage in FL applied to radiology reports, and the role of tokenizer design, remains unclear.

Objective:

To quantify gradient-based reconstruction of radiology report text in an FL setting and to compare privacy risk across three transformer tokenization strategies in a controlled, tokenizer-aware evaluation.

Methods:

Six FL clients trained a GPT-2–style transformer (117M parameters; sequence length 32) on two public radiology corpora comprising 368,751 diagnostic reports, 98,206 discharge summaries, and 1,500 MIMIC-CXR free-text reports. Models were trained using three tokenizers (GPT-2, RadBERT, LLaMA-2) with batch sizes of 64, 128, and 256. A curious-server threat model was assumed, and analytic gradient inversion was applied to recover text. Reconstruction fidelity was measured over five runs using exact sentence accuracy, S-BLEU, and ROUGE-L.

Results:

Exact sentence reconstruction ranged from 33% to 42% across tokenizers. At batch size 64, accuracy was 42.1% (GPT-2), 42.3% (RadBERT), and 39.4% (LLaMA-2), decreasing to 37.3%, 37.2%, and 34.3% at batch size 256. S-BLEU scores declined with increasing batch size (e.g., GPT-2: 0.44→0.33; RadBERT: 0.48→0.35; LLaMA-2: 0.39→0.30). RadBERT yielded higher reconstruction fidelity and greater recovery of clinical terms, but no tokenizer prevented leakage.

Conclusions:

Substantial portions of radiology report text can be reconstructed from FL gradients even with larger batch sizes and domain-specific tokenizers. Tokenizer design influences leakage severity and should be incorporated into privacy evaluations for clinical language models. Integrating safeguards such as secure aggregation and differential privacy is necessary to meet HIPAA and GDPR requirements when deploying FL for radiology NLP. Clinical Trial: Not applicable.


 Citation

Please cite as:

Parampottupadam S, Martínez A, Bounias D, Sav S, Maier-Hein K, Floca R

Privacy Leakage in Federated Learning in Radiology Reports: A Comparative Evaluation of Tokenizer-Driven Privacy Risks

JMIR Preprints. 24/11/2025:88390

DOI: 10.2196/preprints.88390

URL: https://preprints.jmir.org/preprint/88390

Download PDF


Request queued. Please wait while the file is being generated. It may take some time.

© The authors. All rights reserved. This is a privileged document currently under peer-review/community review (or an accepted/rejected manuscript). Authors have provided JMIR Publications with an exclusive license to publish this preprint on it's website for review and ahead-of-print citation purposes only. While the final peer-reviewed paper may be licensed under a cc-by license on publication, at this stage authors and publisher expressively prohibit redistribution of this draft paper other than for review purposes.