Admittedly, he added, this was a fairly simple test. The facial recognition software only had to search through photos of 84 people, not thousands or millions.

But the fact that this was a straightforward test is “beside the point,” said Aaron Roth, computer scientist and privacy expert at the University of Pennsylvania.

“It is clear that eventually this will be a worrying attack ” on stored medical data, he said.

The more likely abuse may be even easier than the method tested by the Mayo researchers, Dr. Roth said. Imagine that a bad actor already knew that a particular person was a study subject, and perhaps had some information regarding age and gender.

Under those circumstances, it should be far less difficult to find that person’s M.R.I. than to start with the scan and discover the subject’s identity. The task is “unfortunately reasonably straightforward,” Dr. Schwarz said.

The privacy threat is real, said Dr. Michael Weiner of the University of California, San Francisco.

Dr. Weiner directs a national study called the Alzheimer’s Disease Neuroimaging Initiative, which has enrolled 2,400 healthy people in an effort to find signs of dementia before a person shows symptoms.

With the publication of the research by the Mayo Clinic, he said, the initiative’s administrators will send letters to participating research centers informing them of the potential for privacy breaches.

The data in the study are stripped of identifying information, like participants’ names and Social Security numbers, but their M.R.I. scans do include faces. The only privacy protection for subjects so far has been the fact that researchers who want to access data from the study have to sign agreements saying that they will not try to identify participants.