New York150,000 stool images went on sale on Reddit.
PoopCheck falls outside federal health-privacy law, leaving its 25,000 users no right to block the sale of their uploaded images.
No US law requires the founder to notify users before selling their images.
Sources: 404 Media
WHAT HIPAA ACTUALLY COVERS
HIPAA, passed in 1996, regulates only 'covered entities' — health plans, healthcare providers who bill electronically, and clearinghouses — plus their business associates. A consumer app that collects medical-looking data but never bills insurance or treats patients sits entirely outside the law.
THE CONSUMER-APP GAP
Fitness trackers, period apps, mental-health chatbots, and symptom loggers collect data more intimate than most doctor visits — and none of it is protected health information under federal law. The FTC's Health Breach Notification Rule fills part of the gap by requiring breach disclosure, but it does not restrict what apps can sell.
WHY THE IMAGES HAVE A PRICE
AI training is the buyer. A labeled medical-image dataset of 150,000 samples would cost a startup hundreds of thousands of dollars to assemble through clinical partnerships and IRB review. Scraped consumer-app uploads bypass the consent, ethics review, and per-image labeling costs entirely.
THE EUROPEAN CONTRAST
Under the GDPR, health data is a 'special category' requiring explicit consent for each processing purpose — and sale to a third party would require a fresh consent, not a buried terms-of-service clause. California's CMIA and Washington's My Health My Data Act (2024) are the closest US analogues, but they apply only to residents of those states.
THE BANKRUPTCY LOOPHOLE
Even apps with strong privacy policies often carve out an exception for 'transfer of assets' in a sale or bankruptcy. When 23andMe filed for Chapter 11 in 2025, 15 million users' genetic profiles became assets the court could authorize a buyer to acquire — privacy promises do not survive a corporate death.