Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Devil is in the Prompts: De-Identification Traces Enhance Memorization Risks in Synthetic Chest X-Ray Generation

Raman Dutt

TL;DR

This work addresses privacy risks in diffusion-based synthetic chest X-rays by systematically identifying prompts and tokens in the MIMIC-CXR dataset that drive memorization. It adopts a text-conditional noise framework, defining a memorization score $d_{mem}=\frac{1}{T}\sum_{t=1}^{T}||\epsilon_\theta(x_t,e_p)-\epsilon_\theta(x_t,e_\emptyset)||_2$ to detect memorized prompts and then analyzes token-level contributions. The key findings show that de-identification traces, particularly the PHI marker "___", contribute most to memorization due to their uniqueness and frequency, and that standard inference-time mitigations (random word/number substitutions or removal) fail to reduce memorization. The paper provides practical recommendations for data curators and model developers (e.g., randomizing de-identification markers, recaptioning, using in-domain vision-language models) and releases memorized prompts to facilitate benchmarking and future mitigation work. Altogether, the study highlights a fundamental flaw in current anonymization practices for medical datasets and underscores the need for training-time interventions to ensure privacy-preserving synthetic medical imaging.

Abstract

Generative models, particularly text-to-image (T2I) diffusion models, play a crucial role in medical image analysis. However, these models are prone to training data memorization, posing significant risks to patient privacy. Synthetic chest X-ray generation is one of the most common applications in medical image analysis with the MIMIC-CXR dataset serving as the primary data repository for this task. This study presents the first systematic attempt to identify prompts and text tokens in MIMIC-CXR that contribute the most to training data memorization. Our analysis reveals two unexpected findings: (1) prompts containing traces of de-identification procedures (markers introduced to hide Protected Health Information) are the most memorized, and (2) among all tokens, de-identification markers contribute the most towards memorization. This highlights a broader issue with the standard anonymization practices and T2I synthesis with MIMIC-CXR. To exacerbate, existing inference-time memorization mitigation strategies are ineffective and fail to sufficiently reduce the model's reliance on memorized text tokens. On this front, we propose actionable strategies for different stakeholders to enhance privacy and improve the reliability of generative models in medical imaging. Finally, our results provide a foundation for future work on developing and benchmarking memorization mitigation techniques for synthetic chest X-ray generation using the MIMIC-CXR dataset. The anonymized code is available at https://anonymous.4open.science/r/diffusion_memorization-8011/

The Devil is in the Prompts: De-Identification Traces Enhance Memorization Risks in Synthetic Chest X-Ray Generation

TL;DR

This work addresses privacy risks in diffusion-based synthetic chest X-rays by systematically identifying prompts and tokens in the MIMIC-CXR dataset that drive memorization. It adopts a text-conditional noise framework, defining a memorization score to detect memorized prompts and then analyzes token-level contributions. The key findings show that de-identification traces, particularly the PHI marker "___", contribute most to memorization due to their uniqueness and frequency, and that standard inference-time mitigations (random word/number substitutions or removal) fail to reduce memorization. The paper provides practical recommendations for data curators and model developers (e.g., randomizing de-identification markers, recaptioning, using in-domain vision-language models) and releases memorized prompts to facilitate benchmarking and future mitigation work. Altogether, the study highlights a fundamental flaw in current anonymization practices for medical datasets and underscores the need for training-time interventions to ensure privacy-preserving synthetic medical imaging.

Abstract

Generative models, particularly text-to-image (T2I) diffusion models, play a crucial role in medical image analysis. However, these models are prone to training data memorization, posing significant risks to patient privacy. Synthetic chest X-ray generation is one of the most common applications in medical image analysis with the MIMIC-CXR dataset serving as the primary data repository for this task. This study presents the first systematic attempt to identify prompts and text tokens in MIMIC-CXR that contribute the most to training data memorization. Our analysis reveals two unexpected findings: (1) prompts containing traces of de-identification procedures (markers introduced to hide Protected Health Information) are the most memorized, and (2) among all tokens, de-identification markers contribute the most towards memorization. This highlights a broader issue with the standard anonymization practices and T2I synthesis with MIMIC-CXR. To exacerbate, existing inference-time memorization mitigation strategies are ineffective and fail to sufficiently reduce the model's reliance on memorized text tokens. On this front, we propose actionable strategies for different stakeholders to enhance privacy and improve the reliability of generative models in medical imaging. Finally, our results provide a foundation for future work on developing and benchmarking memorization mitigation techniques for synthetic chest X-ray generation using the MIMIC-CXR dataset. The anonymized code is available at https://anonymous.4open.science/r/diffusion_memorization-8011/

Paper Structure

This paper contains 10 sections, 4 equations, 4 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Diffusion Models
  5. Efficient Memorization Detection via Text-Conditional Noise
  6. Experiments
  7. Detecting Memorized Prompts in MIMIC-CXR
  8. Examining Individual Token Contribution: Traces of De-Identification Enhance Memorization
  9. Existing Intervention Methods are Ineffective
  10. Discussion and Conclusion

Figures (4)

  • Figure 1: Multiple generations for a single prompt across various initialization seeds. The top row shows a memorized prompt, where images remain nearly identical regardless of the seed, indicating independence from initial noise. In contrast, the bottom row displays a non-memorized prompt, with diverse outputs reflecting sensitivity to the initial noise, indicating no memorization.
  • Figure 2: Visualizing the distribution of text-conditional norms for unique prompts in the MIMIC-CXR dataset (largest to smallest). Prompts in the top 1 percentile, exhibiting the highest norms, are highlighted in red. Prompts exhibiting high norms indicate they are potentially memorized.
  • Figure 3: Figure illustrating the text-conditional norm for each token in a memorized prompt. We only plot the tokens with the top 25 norm values for visual clarity. Amongst all tokens, the PHI de-identification token ("___") holds the most significant contribution towards memorization. This behaviour is replicated across all memorized prompts.
  • Figure 4: Figure depicting multiple generations for the same prompt and different mitigation strategies. The visual similarity across different generations and mitigation methods indicates their ineffectiveness.