Impact of differential privacy on breast ultrasound image classification performance using vision transformer
Original Article

Impact of differential privacy on breast ultrasound image classification performance using vision transformer

Jiaqi Yang1, Xiaofei Zhong2, Zhigang Luo3, Yanting Wen4

1Operating Room, West China Hospital, Sichuan University/West China School of Nursing, Sichuan University, Chengdu, China; 2Department of Ultrasonography, West China Hospital, Sichuan University, Chengdu, China; 3Glory Wireless Co. Ltd., Chengdu, China; 4Department of Ultrasonography, The Fifth People’s Hospital of Chengdu, Chengdu, China

Contributions: (I) Conception and design: J Yang, X Zhong; (II) Administrative support: X Zhong; (III) Provision of study materials or patients: All authors; (IV) Collection and assembly of data: J Yang, Z Luo, Y Wen; (V) Data analysis and interpretation: All authors; (VI) Manuscript writing: All authors; (VII) Final approval of manuscript: All authors.

Correspondence to: Xiaofei Zhong, BSc. Department of Ultrasonography, West China Hospital, Sichuan University, 37 Guoxue Alley, Chengdu 610041, China. Email: xiaofeizhong33@wchscu.cn.

Background: Breast ultrasound images contain highly sensitive anatomical and diagnostic information. Deep learning (DL) classifiers trained on such data can inadvertently memorize patient-specific features, creating privacy leakage even when identifiers are removed. Differential privacy (DP) offers a mathematically rigorous bind on this leakage, yet the scarcity of public breast ultrasound datasets and their markedly different imaging characteristics mean that the impact of DP on diagnostic accuracy remains insufficiently quantified. We therefore conducted a systematic experimental assessment of the privacy-utility trade-off to generate parameter-specific evidence for clinical deployment.

Methods: We curated a 2,149-image breast ultrasound dataset (1,289 benign, 860 malignant) from Roboflow, split 70%/20%/10% for training/validation/testing. After ImageNet pre-training, we compared three backbones—ResNet50, EfficientNet-B0, and ViT-B/16—by fine-tuning only the last layer for 100 epochs and selecting the best performer. Opacus was then applied to the top-ranked model (ViT-B/16) across 12 (ε, δ) configurations (ε values: 0.01, 0.1, 1, 10; δ values: 1e−5, 1e−3, 0.1), with each repeated 10 times. Accuracy, F1-score and area under the receiver operating characteristic curve (AUC-ROC) were evaluated with 95% confidence intervals (CI) and one-way repeated-measures analysis of variance (ANOVA).

Results: Without DP, ViT-B/16 achieved 94.9% accuracy, 93.4% F1, and 99.2% AUC-ROC. Introducing DP produced a clear monotonic privacy-utility trade-off: performance declined as ε decreased. At ε=10, δ=1×10−5 the model retained 89.5% accuracy, 86.0% F1, and 96.1% AUC-ROC, whereas ε=0.01, δ=1×10−5 collapsed to 48.3%, 43.5%, and 48.6%. ANOVA confirmed ε as the dominant factor (P<0.001). A clinically viable compromise emerged at ε=1, δ=0.1 (87.4% accuracy, 82.8% F1, 94.1% AUC-ROC).

Conclusions: Our systematic evaluation demonstrates that DP can be integrated into breast ultrasound classification while maintaining quantifiable privacy guarantees. Selecting ε≥1 and δ=0.1 preserves diagnostic accuracy close to the non-private baseline and provides a practical reference for privacy-preserving clinical deployment.

Keywords: Differential privacy (DP); medical ultrasound images; deep learning (DL); privacy protection; image classification

Submitted May 07, 2025. Accepted for publication Sep 29, 2025. Published online Oct 21, 2025.

doi: 10.21037/qims-2025-1064

Introduction

With the rapid development of artificial intelligence (AI), deep learning (DL)-based medical image analysis models have been widely adopted in cancer diagnosis. These models efficiently identify benign and malignant tumors by automatically extracting and analyzing complex structures and subtle features in medical images, offering rapid and accurate diagnostic support to physicians. This significantly enhances diagnostic accuracy, reduces clinicians’ workload, and improves healthcare efficiency and quality (1-4). However, the extensive use of DL in medical imaging raises potential privacy risks. Training accurate models typically requires large-scale datasets, such as those of breast ultrasound images, which contain sensitive patient information, including diagnostic details and anatomical structures. Unauthorized disclosure of such data could severely violate patient privacy and undermine trust in healthcare systems (5,6). Therefore, protecting medical image privacy is not only a technical challenge but also a critical requirement for maintaining patient trust and ensuring ethical healthcare practices (7). The datasets employed for model training frequently encompass confidential individual information. Although these datasets are commonly restricted from public dissemination due to privacy concerns, the resultant trained models are often disseminated publicly or deployed as services for inference on novel datasets. In the training of machine learning models, although removing patient identifiers such as names is a standard data anonymization procedure, this approach offers only limited protection of privacy. The essential features inherent in medical imaging data remain intact and could potentially be exploited by malicious parties to deduce sensitive patient information, thereby posing risks to privacy. Consequently, relying solely on such basic anonymization techniques often falls short of adequately safeguarding the privacy of data cases when confronted with sophisticated and diverse attack vectors (6,8).

To address privacy risks in medical image analysis, researchers are exploring robust privacy-preserving mechanisms (9). Differential privacy (DP), a cutting-edge technique, resolves the conflict between data utility and privacy by injecting noise during data processing. This ensures that the presence or absence of any single data record does not significantly affect analytical outcomes, achieving “usable invisibility” of data (10,11).

Recent complementary efforts include steganography-based concealment of Electronic Patient Records within Digital Imaging and Communications in Medicine (DICOM) images (12), federated-learning frameworks that integrate DP to safeguard distributed ultrasound data (13), and DP investigations on generic medical images (7). Building on these advances, we position the present study as a systematic investigation of DP for breast-ultrasound classification—a modality that remains markedly under-explored relative to the extensive DP literature on magnetic resonance imaging (MRI) or computed tomography (CT).

This study investigates DP-based methods for medical ultrasound image classification, aiming to enhance model reliability while safeguarding patient privacy. By integrating DP, this work contributes to advancing medical image analysis in two key aspects: strengthening patient trust through rigorous privacy guarantees; offering novel methodologies to improve model generalizability and clinical diagnostic accuracy. We present this article in accordance with the CLEAR reporting checklist (available at https://qims.amegroups.com/article/view/10.21037/qims-2025-1064/rc).

Methods

DP

DP technology was first proposed by Dwork et al. in 2006 (10). Initially, it did not attract widespread attention in the academic community, mainly due to the negative correlation between privacy protection level and data utility (such as model accuracy). Simply put, the noise added for privacy protection would reduce data usability, which limited its application in the early stages. However, as data privacy issues became increasingly prominent, DP gradually gained attention. The applications by tech giants such as Google and Apple further promoted the development of DP. For example, Google first disclosed its research on DP in 2014 and applied it to Chrome browser data collection in 2017 (14). Apple also introduced DP technology into its iPhone Operating System (iOS) system to protect user privacy (15). These applications demonstrated the practical value of DP, driving its extensive research and application in both academia and industry. DP is a cutting-edge privacy protection technology that introduces noise during data processing to ensure that the presence or absence of a single data record does not significantly affect the analysis results, thereby achieving “usable invisibility” of data. Through rigorous mathematical definitions and formal methods, DP provides a quantifiable and verifiable framework for data privacy protection. The following are several key definitions of DP (11,16).

DP is a rigorous mathematical framework designed to protect individual privacy within a dataset. The core principle of DP is to ensure that small changes to the dataset (such as adding or deleting a record) do not significantly impact the output of an algorithm. Below is a detailed explanation of the related concepts (17).

Definition 1: adjacent datasets

Adjacent datasets refer to two datasets that differ by only a single record, denoted as D and D'. The difference can be:

Addition/deletion adjacency: D' has one more or fewer records than D.

Replacement adjacency: One record in D is replaced in D'.

The concept of adjacency is fundamental to DP, as it is used to measure the sensitivity of an algorithm to individual data points.

Definition 2: sensitivity

Sensitivity quantifies the maximum change in the output of a query function when applied to adjacent datasets, determining the amount of noise that needs to be added. It is specifically divided into:

L1 Sensitivity (∆1): Applicable to numerical queries, defined as:

Δ1=maxD,D'f(D)f(D')1

L2 Sensitivity (∆2): Applicable to vector-valued queries, defined as:

Δ2=maxD,D'f(D)f(D')2

Sensitivity directly affects the design of the noise mechanism. For example, the Laplace mechanism adds noise based on ∆1, whereas the Gaussian mechanism adds noise based on ∆2.

Definition 3: (ε, δ)-DP

A randomized algorithm M satisfies (ε, δ)-DP if and only if for all adjacent datasets D and D', and for all possible output subsets Srange(M), the following holds:

Pr[M(D)s]eε·Pr[M(D')s]+δ

Additionally, the reverse inequality must also hold:

Pr[M(D')s]eε·Pr[M(D)s]+δ

ε is the privacy budget, used to quantify the degree of privacy protection;

δ is the probability of privacy leakage, and theoretically, the smaller the δ, the higher the level of privacy protection.

Eq. [3] states that, for any pair of datasets that differ by only one record (D and D'), the probability of observing any algorithm output S cannot increase by more than an eε multiplicative factor when the single record is added or removed. Eq. [4] imposes the same bound on the complementary event, ensuring the bound is symmetric. Together, these two inequalities guarantee that an adversary observing the output S cannot confidently determine whether any single individual’s data were present in the input dataset. ε controls the tolerated leakage (smaller ε → stronger privacy), whereas δ allows for an additional, small probability of violating this guarantee.

In the context of DP, there are two key mechanisms: pure differential privacy (ε-DP) and approximate differential privacy ([ε, δ]-DP). Pure differential privacy is achieved when δ equals 0, such as with the Laplace mechanism, where the amount of noise added is determined by Lap(Δ1ε). Meanwhile, approximate differential privacy comes into play when δ is greater than 0, such as with the Gaussian mechanism, where the noise level is defined as σ=Δ22ln(1.25/δ)ε.

DP injects carefully calibrated noise during computation so that including or excluding any single record barely alters the outcome, rendering individual data effectively invisible while still enabling useful analysis. This technology protects data privacy while ensuring data usability and the accuracy of analysis results.

AI models

ResNet50

ResNet50 is a classic deep convolutional neural network architecture belonging to the ResNet family. ResNet was proposed by He et al. in 2015 (18), and its core idea is to solve the common problems of gradient disappearance and gradient explosion in deep network training through residual learning; the architecture includes the conv2_x, conv3_x, conv4_x, and conv5_x layers (19). Prior work has demonstrated ResNet50’s efficacy for structural-feature extraction in ultrasound tasks (20), super-resolution enhancement of transcranial images (21), and fusion with EfficientNet for explainable lesion classification (22).

EfficientNet-B0

Introduced by Tan and Le, EfficientNet-B0 jointly scales network depth, width, and resolution via a compound coefficient φ. Its inverted-residual blocks with squeeze-and-excitation attention achieve ImageNet-1 K top-1 accuracy comparable to larger convolutional neural networks (CNNs) while using an order-of-magnitude fewer parameters and floating point operations per second (FLOPs). Prior work has shown EfficientNet-B0’s effectiveness for low-latency breast-lesion detection on edge devices (23). EfficientNet-B0, when augmented with spatial attention, has demonstrated improved robustness to speckle noise and superior breast-lesion classification performance (24).

Vision transformer (ViT-B/16)

Dosovitskiy et al. (25) proposed ViT-B/16, which splits an image into 16×16 non-overlapping patches and feeds the sequence through 12 transformer encoder layers. ImageNet-21 K pre-training endows the model with long-range spatial self-attention capabilities transferable to medical domains. Recent studies have demonstrated ViT-B/16’s superior sensitivity for subtle hypoechoic lesions in breast ultrasound (26). ViT-B/16, effectively incorporates cross-modal clinical cues for enhanced breast-lesion detection and risk stratification (27).

To identify the most suitable backbone for our differential-privacy study, we conducted a controlled comparison of the three candidate architectures on the breast ultrasound dataset. Each network was initialized with ImageNet pre-trained weights and fine-tuned by replacing and training only the final classification layer; all earlier parameters remained frozen. The resulting metrics showed that ViT-B/16 achieved the highest accuracy (94.9%), F1-score (93.4%), and AUC-ROC (99.2%). Consequently, we adopted ViT-B/16 as the definitive model for all subsequent privacy-preserving analyses.

Dataset

The study utilized a breast ultrasound image dataset sourced from Roboflow, which includes 2,149 images licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) (28). The study was conducted in accordance with the Declaration of Helsinki and its subsequent amendments. Subsequently, the images were divided into three subsets: 70% (1,504 images) for the training dataset, 20% (429 images) for the validation dataset, and 10% (216 images) for the test dataset. The breast ultrasound image dataset used in this study does not contain any personally identifiable information or sensitive patient data. All images were anonymized and processed in accordance with the dataset provider’s guidelines, ensuring compliance with ethical standards for data privacy. Therefore, ethical review and approval were not required for this study.

Experimental setup

All experiments were conducted on a workstation equipped with 14-core Intel Xeon Gold 6330 @ 2.00 GHz, 90 GB RAM, and one NVIDIA RTX 3090 (24 GB; NVIDIA, Santa Clara, CA, USA). Software versions were Ubuntu 22.04 (Canonical, London, UK), Python 3.12 (Python Software Foundation, Wilmington, DE, USA), PyTorch 2.5.1 (Linux Foundation, San Francisco, CA, USA), CUDA 12.4 (NVIDIA), and Opacus 0.21.0 (Meta AI, Menlo Park, CA, USA). To guarantee reproducibility, we fixed the global random seed to 42, enabled deterministic Compute Unified Device Architecture (CUDA) operations, and disabled automatic mixed precision. The ImageNet pre-trained was used: only the final fully-connected layer was replaced and trained while all earlier layers remained frozen. Images were resized to 224×224, normalized with ImageNet statistics, and augmented with random horizontal flips. The dataset contains 1,289 benign and 860 malignant cases; inverse-frequency class weights were applied to the cross-entropy loss to counteract imbalance. Differentially Private Stochastic Gradient Descent (DP-SGD) was implemented via privacy_engine, training ran for 100 epochs with Adam (initial lr =1×10−3, cosine annealing to 1×10−5), batch size 64, gradient clipping L2-norm =1.0, and noise multiplier automatically tuned by Opacus for each (ε, δ) target.

To select the most suitable backbone for subsequent DP experiments, we conducted a head-to-head comparison of the three models on our breast ultrasound dataset. All networks were trained under identical settings: 100 epochs, Adam optimizer (lr=1×10−3 with cosine decay), batch size 32, identical data augmentations, and last-layer fine-tuning while keeping ImageNet pre-trained weights frozen.

Experimental design

The experimental design included the following three scenarios as Table 1 shows:

  • Fixed δ value, varying ε value: to observe the impact of different ε values on model performance.
  • Fixed ε value, varying δ value: to observe the impact of different δ values on model performance.
  • Simultaneous variation of ε and δ values: to observe the impact of the combination of ε and δ values on model performance.

Table 1

Experimental design for privacy budget and leakage probability

Experiment ID Privacy budget (ε) Privacy leakage probability (δ)
1 0.01 0.001
2 0.1 0.001
3 1 0.001
4 10 0.001
5 0.01 0.1
6 0.1 0.1
7 1 0.1
8 10 0.1
9 0.01 1e−05
10 0.1 1e−05
11 1 1e−05
12 10 1e−05

Each parameter combination was run 10 independent times with fresh weight initializations. For every run we computed accuracy, F1-score, and AUC-ROC on the test set. Results were reported as mean ± standard deviation together with 95% confidence intervals (CI; t-distribution, df =9). One-way repeated-measures analysis of variance (ANOVA) was employed to assess statistical significance among privacy settings (α=0.05).

Evaluation metrics

Accuracy was defined as the proportion of correctly predicted samples out of the total number of samples (29). It was calculated using the formula:

Accuracy=TP+TNTP+TN+FP+FN

where TP represents true positive, TN represents true negative, FP represents false positive, and FN represents false negative. Accuracy is a straightforward metric that provides an overall measure of the model’s performance, which is particularly useful when the class distribution is balanced.

The F1 Score is the harmonic mean of precision and recall, providing a balanced measure of the model’s performance. It is calculated using the formula:

F1-score=2×Precision×RecallPrecision+Recall

where Precision is defined as Precision=TPFP+TP and Recall is defined as Recall=TPFN+TP. The F1 Score is particularly useful in cases where the class distribution is imbalanced, as it takes both false positives and false negatives into account.

AUC-ROC: the AUC-ROC, used to measure the model’s ability to distinguish positive and negative samples at different thresholds.

AUC-ROC=01TPR(FPR)d(FPR)

It is calculated by plotting the true positive rate (TPR) against the false positive rate (FPR) at different threshold levels and then computing the AUC. The formulas for TPR and FPR are:

TPR=TPTP+FN

FPR=FPFP+TN

This integral represents the AUC-ROC, which is a plot of TPR versus FPR at various threshold levels. The AUC-ROC provides a single scalar value that summarizes the model’s ability to distinguish between the positive and negative classes across all possible classification thresholds. A higher AUC-ROC value indicates better performance.

Results

To determine the optimal backbone for our differential-privacy experiments, we first evaluated ResNet50, EfficientNet-B0, and ViT-B/16 on the breast ultrasound dataset while keeping all ImageNet pre-trained weights frozen and re-initializing only the final classification layer. Table 2 summarizes the single-run validation performance after 100 training epochs.

Table 2

Model performance comparison

Model Accuracy (%) F1-Score (%) AUC-ROC (%)
ResNet50 90.9 88.2 96.6
EfficientNet-B0 80.2 74.5 87.8
ViT-B/16 94.9 93.4 99.2

AUC-ROC, area under the curve of the receiver operating characteristic curve.

Under different settings of privacy budget (ε) and privacy leakage probability (δ), the model’s performance metrics are as follows:

Experimental results demonstrated that model accuracy, F1-score, and AUC-ROC are closely tied to privacy-protection intensity. When the privacy budget was relatively lenient (e.g., ε=10, δ=0.1), the model achieved its highest performance—accuracy reached 90.7% and AUC-ROC attained 97.0%—indicating that, under a lower privacy-protection level, the model can deliver diagnostic accuracy comparable to non-private baselines. However, as the privacy budget tightened (i.e., ε decreases), model performance dropped markedly; under the strictest privacy setting (ε=0.01, δ=1×10−5), accuracy fell to 48.3%, F1-score to 43.5%, and AUC-ROC to 48.6%. This underscores the need for careful trade-offs between safeguarding patient privacy and maintaining diagnostic effectiveness in real-world medical applications.

Figure 1 summarizes mean accuracy, F1-score, and AUC-ROC (± 95% CI across 10 runs) for ε=0.01, 0.1, 1, and 10 at each δ. A clear dose-response emerged: the tighter the privacy budget (lower ε), the poorer and more erratic the performance—large CIs render the model clinically unreliable. As ε increased, both accuracy and stability improved sharply; only at ε≥1 did narrow confidence intervals indicate consistent, trustworthy predictions essential for clinical deployment.

Figure 1 Model performance versus epsilon for different delta values. Results were reported as mean ± 95% confidence intervals. AUC-ROC, area under the curve of the receiver operating characteristic curve.

Figure 2 illustrates how the model’s performance metrics—namely accuracy, F1-score, and AUC-ROC—respond as δ increases with ε held constant at 1. The shaded regions represent the 95% CIs for the mean of each metric, indicating the range of performance variability. Looking at the data, there was a clear upward trajectory in these metrics as δ moved from 1×10−5 to 0.1. To put it plainly, accuracy climbed from 77.4% to 83.3%, the F1-score jumped from 69.3% to 77.3%, and AUC-ROC surges from 78.4% to 91.6%. So, when ε was kept steady, bumping up δ noticeably boosted how well the model performed. This is encouraging because it shows there is a way to fine-tune these parameters to yield better results without compromising too much on privacy, which is a big plus for practical applications in healthcare settings where both accuracy and privacy are crucial.

Figure 2 Model performance versus delta (fixed epsilon ε =1). AUC-ROC, area under the curve of the receiver operating characteristic curve.

Figure 3 shows that, with δ fixed at 1×10−5, accuracy and AUC-ROC rose monotonically as ε increased from 0.01 to 10. In contrast, the F1-score exhibited a non-monotonic trajectory: it climbed steeply from ε=0.01 to ε=1, but then plateaued or dipped slightly when ε was further relaxed from 1 to 10. This flattening reflects a widening gap between improved recall and slightly degraded precision—the model flags more true positives yet also introduces additional false positives, tempering the F1 gain. Thus, ε≥1 is the practical threshold for achieving stable, high-sensitivity breast lesion detection while still honoring strict DP.

Figure 3 Model performance versus epsilon (fixed delta =1e−05). AUC-ROC, area under the curve of the receiver operating characteristic curve.

Figure 4 displays ROC curves for the privacy-aware ViT-B/16 model under every tested (ε, δ) combination, benchmarked against the non-private red solid baseline. Within each color group (fixed δ), tightening the privacy budget from ε=10 to ε=0.01 drove the curve downward and rightward, sharply reducing AUC-ROC and moving the classifier away from clinically acceptable sensitivity and specificity. Conversely, at any fixed ε, increasing δ (e.g., from 1×10−5 to 0.1) shifted the curve modestly toward the top-left, illustrating that a slightly higher privacy-leakage probability can recoup some diagnostic power. Consequently, the privacy budget ε dominated the trade-off while δ provided fine control; selecting ε=10, δ=0.1 yielded a model for which the ROC curve nearly overlapped the non-private benchmark, delivering strong, mathematically-verifiable privacy with only a minimal, quantifiable loss in diagnostic accuracy.

Figure 4 Comparison of ROC curves for ViT-B/16 under different differential privacy. AUC, area under the curve; DP, differential privacy; ROC, receiver operating characteristic.

Discussion

Using DP in medical ultrasound image classification comes with several challenges. The main one is finding a balance between privacy and model performance. Lower ε values mean better privacy but worse performance, whereas higher ε values mean the opposite. Also, adding noise for privacy can make model training unstable, affecting how fast it converges and how well it performs. In real-world applications, we also need to adjust ε and δ based on specific situations, which adds complexity. Determining how to set these parameters properly in different contexts is a pressing issue. Based on the empirical results, the parameter set δ=0.1 and ε=1 offers an optimal balance between privacy and performance. Under this configuration the model achieved 87.39% accuracy, 82.75% F1 score, and 94.14% AUC—values that remain close to the non-private baseline while providing a markedly stronger privacy guarantee than ε=10. Compared with stricter budgets such as ε=0.1 or lower, this combination avoids the steep accuracy drop observed in Figure 4 and Table 3, making it a practical and trustworthy choice for real-world clinical deployment.

Table 3

Model performance under differential privacy (10 runs)

Delta (δ) Epsilon (ε) Accuracy (%) (95% CI) F1 score (%) (95% CI) AUC-ROC (%) (95% CI)
1e−05 0.01 48.34 (43.68–53.01) 43.52 (32.68–54.37) 48.63 (43.76–53.51)
1e−05 0.1 63.22 (61.94–64.49) 17.35 (9.58–25.11) 70.99 (66.44–75.54)
1e−05 1 81.54 (80.60–82.47) 73.90 (72.22–75.58) 89.51 (88.82–90.19)
1e−05 10 89.49 (88.95–90.02) 85.96 (85.20–86.72) 96.05 (95.69–96.41)
0.001 0.01 55.99 (52.45–59.53) 20.01 (7.85–32.17) 50.84 (44.78–56.90)
0.001 0.1 68.16 (65.53–70.79) 34.48 (23.76–45.20) 76.66 (74.17–79.16)
0.001 1 83.78 (82.72–84.84) 77.85 (76.48–79.22) 91.00 (90.41–91.60)
0.001 10 89.93 (89.47–90.39) 86.73 (86.07–87.38) 96.41 (96.16–96.65)
0.1 0.01 80.35 (79.21–81.49) 72.20 (70.39–74.00) 88.32 (87.46–89.17)
0.1 0.1 83.54 (82.55–84.54) 76.95 (75.40–78.50) 90.34 (89.92–90.77)
0.1 1 87.39 (86.74–88.04) 82.75 (81.79–83.71) 94.14 (93.85–94.43)
0.1 10 90.72 (90.29–91.16) 87.78 (87.17–88.39) 97.02 (96.83–97.21)

AUC-ROC, area under the curve of the receiver operating characteristic curve; CI, confidence interval.

Future research can focus on the following: (I) enhancing DP algorithms to reduce their impact on model performance while maintaining privacy; (II) integrating DP with complementary privacy technologies such as homomorphic encryption and zero-knowledge proofs to achieve stronger protection; and (III) extending DP to multi-modal data scenarios that combine ultrasound images with electronic medical records and genetic data. The field of view of breast ultrasound images is typically small, with conventional high-frequency probes capturing a cross-sectional area of about 3–5 cm × 3–5 cm per image. In China, it is common to store 4–10 images per breast examination, covering the breast quadrants and axillary regions. Male breast lesions are relatively rare, with over 95% of cases being female breast images. Moreover, the glandular and fatty composition of the breast in females varies across different life stages—childhood, adolescence, reproductive age, and middle to old age—leading to distinct imaging features. Ultrasound images of patients who have undergone mastectomy or breast implantation also exhibit typical characteristics. To mitigate privacy leakage stemming from these breast-specific patterns, future work will systematically investigate layer-wise fine-tuning strategies for ViT-B/16, employ ultrasound-specific self-supervised pre-training to narrow the ImageNet domain gap, and integrate DP with federated learning to leverage larger, distributed datasets without compromising institutional privacy. Generalization will be further assessed by validating the model on independent breast ultrasound datasets from multiple hospitals and scanner brands.

Conclusions

We systematically evaluated the insertion of differential-privacy training into ViT-B/16 for breast ultrasound classification. As expected, stricter privacy budgets (lower ε) were found to reduced accuracy while strengthening guarantees, whereas looser budgets (higher ε) preserved performance but weakened privacy. The key finding is that the operating point ε=1, δ=0.1 retained 87.4% accuracy, 82.8% F1, and 94.1% AUC—within 3% of the non-private baseline—while providing mathematically quantifiable protection, thus offering a ready-to-use configuration for privacy-preserving clinical deployment.

Acknowledgments

None.

Footnote

Reporting Checklist: The authors have completed the CLEAR reporting checklist. Available at https://qims.amegroups.com/article/view/10.21037/qims-2025-1064/rc

Funding: This study received funding from Innovative Talents Program of Sichuan Provincial Health Commission (No. 24CXTD16).

Conflicts of Interest: All authors have completed the ICMJE uniform disclosure form (available at https://qims.amegroups.com/article/view/10.21037/qims-2025-1064/coif). Z.L. is the General Manager of Glory Wireless Co. Ltd. The other authors have no conflicts of interest to declare.

Ethical Statement: The authors are accountable for all aspects of the work in ensuring that questions related to the accuracy or integrity of any part of the work are appropriately investigated and resolved. This study used publicly available datasets sourced from Roboflow. The dataset is licensed under CC BY 4.0. Given that the data within the dataset have been deidentified and do not contain private, personal, or sensitive information, ethical review by an ethics committee was not required. The use of the data complies with the dataset’s licensing agreements and terms of use. This study was conducted in accordance with the Declaration of Helsinki and its subsequent amendments.

Open Access Statement: This is an Open Access article distributed in accordance with the Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License (CC BY-NC-ND 4.0), which permits the non-commercial replication and distribution of the article with the strict proviso that no changes or edits are made and the original work is properly cited (including links to both the formal publication through the relevant DOI and the license). See: https://creativecommons.org/licenses/by-nc-nd/4.0/.

References

  1. McBee MP, Awan OA, Colucci AT, Ghobadi CW, Kadom N, Kansagra AP, Tridandapani S, Auffermann WF. Deep Learning in Radiology. Acad Radiol 2018;25:1472-80.
  2. Cao Z, Duan L, Yang G, Yue T, Chen Q. An experimental study on breast lesion detection and classification from ultrasound images using deep learning architectures. BMC Med Imaging 2019;19:51.
  3. Kim YJ, Choi Y, Hur SJ, Park KS, Kim HJ, Seo M, Lee MK, Jung SL, Jung CK. Deep convolutional neural network for classification of thyroid nodules on ultrasound: Comparison of the diagnostic performance with that of radiologists. Eur J Radiol 2022;152:110335.
  4. Cao J, Zhu Y, Tian X, Wang J. Tnc-Net: Automatic classification for thyroid nodules lesions using convolutional neural network. IEEE Access 2024;12:84567-8.
  5. Fredrikson M, Jha S, Ristenpart T, editors. Model inversion attacks that exploit confidence information and basic countermeasures. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security; 2015.
  6. Nasr M, Shokri R, Houmansadr A, editors. Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning. 2019 IEEE Symposium on Security and Privacy (SP); 2019 19-23 May 2019.
  7. Yin M. Research on medical image classification method based on differential privacy [Master]. Henan University; 2024.
  8. Shokri R, Stronati M, Song C, Shmatikov V, editors. Membership Inference Attacks Against Machine Learning Models. 2017 IEEE Symposium on Security and Privacy (SP); 2017 22-26 May 2017.
  9. Al Hamid HA, Rahman SMM, Hossain MS, Almogren A, Alamri A. A security model for preserving the privacy of medical big data in a healthcare cloud using a fog computing facility with pairing-based cryptography. IEEE Access 2017;5:22313-28.
  10. Dwork C, McSherry F, Nissim K, Smith A, editors. Calibrating noise to sensitivity in private data analysis. Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006. Proceedings 3; 2006: Springer.
  11. Adnan M, Kalra S, Cresswell JC, Taylor GW, Tizhoosh HR. Federated learning and differential privacy for medical image analysis. Sci Rep 2022;12:1953.
  12. Riaz H, Naqvi RA, Ellahi M, Usman MA, Usman MR, Jeong D, Lee SW. Robust Steganography Technique for Enhancing the Protection of Medical Records in Healthcare Informatics. IEEE J Biomed Health Inform 2025; Epub ahead of print. [Crossref]
  13. Abbas SR, Abbas Z, Zahir A, Lee SW. Federated Learning in Smart Healthcare: A Comprehensive Review on Privacy, Security, and Predictive Analytics with IoT Integration. Healthcare (Basel) 2024;12:2587.
  14. Wang N, Xiao X, Yang Y, Zhang Z, Gu Y, Yu G, editors. PrivSuper: A superset-first approach to frequent itemset mining under differential privacy. 2017 IEEE 33rd International Conference on Data Engineering (ICDE); 2017: IEEE.
  15. Gadotti A, Houssiau F, Annamalai MSMS, de Montjoye YA, editors. Pool Inference Attacks on Local Differential Privacy: Quantifying the Privacy Guarantees of Apple’s Count Mean Sketch in Practice. 31st USENIX Security Symposium (USENIX Security 22); 2022.
  16. Arachchige PCM, Bertok P, Khalil I, Liu D, Camtepe S, Atiquzzaman M. Local differential privacy for deep learning. IEEE Internet of Things Journal 2019;7:5827-42.
  17. Dwork C, editor. Differential privacy: A survey of results. International conference on theory and applications of models of computation; 2008: Springer.
  18. He K, Zhang X, Ren S, Sun J, editors. Deep residual learning for image recognition. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition; 2016.
  19. Prasher S, Nelson L, Gomathi S, editors. Resnet 50 based classification model for skin cancer detection using Dermatoscopic images. 2023 3rd Asian Conference on Innovation in Technology (ASIANCON); 2023: IEEE.
  20. Yang X, Qu S, Wang Z, Li L, An X, Cong Z. The study on ultrasound image classification using a dual-branch model based on Resnet50 guided by U-net segmentation results. BMC Med Imaging 2024;24:314.
  21. Shin M, Peng Z, Kim HJ, Yoo SS, Yoon K. Multivariable-incorporating super-resolution residual network for transcranial focused ultrasound simulation. Comput Methods Programs Biomed 2023;237:107591.
  22. Jabeen K, Khan MA, Hamza A, Albarakati HM, Alsenan S, Tariq U, Ofori I. An EfficientNet integrated ResNet deep network and explainable AI for breast lesion classification from ultrasound images. CAAI Transactions on Intelligence Technology 2025;10:842-57.
  23. Saranya K, Swetha B, Nivetha C, Vijaya Harcini J, editors. Deep Learning-Based Breast Cancer Detection with EfficientNet-B0. 2025 International Conference on Inventive Computation Technologies (ICICT); 2025 23-25 April 2025.
  24. Chakravarthy S, Nagarajan B, Khan SB, Venkatesan VK, Ramakrishna MT, Musharraf AA, Aurungzeb K. Spatial Attention Integrated EfficientNet Architecture for Breast Cancer Classification with Explainable AI. Computers, Materials and Continua 2024;80:5029-45.
  25. Dosovitskiy A, Beyer L, Kolesnikov A, et al. An image is worth 16×16 words: transformers for image recognition at scale. Proceedings of the International Conference on Learning Representations (ICLR). 2021. Available online: https://openreview.net/forum?id=YicbFdNTTy
  26. Mousa TE, Zouari R, Baklouti M, editors. Vision Transformers with Efficient LoRA Finetuning for Breast Cancer Classification. 2024 IEEE/ACS 21st International Conference on Computer Systems and Applications (AICCSA); 2024 22-26 Oct. 2024.
  27. Ayana G, Choe SW. BUViTNet: Breast Ultrasound Detection via Vision Transformers. Diagnostics (Basel) 2022;12:2654.
  28. Community R. Malignant and benign object detection dataset. Roboflow Universal. Available online: https://universe.roboflow.com/yolo-ohenu/malignant-and-benign/dataset/5
  29. Biship CM. Pattern recognition and machine learning (information science and statistics). New York: Springer; 2007.
Cite this article as: Yang J, Zhong X, Luo Z, Wen Y. Impact of differential privacy on breast ultrasound image classification performance using vision transformer. Quant Imaging Med Surg 2025;15(12):12279-12289. doi: 10.21037/qims-2025-1064

Article Options

Download Citation

Share