I'm not sure how you would invoke HIPAA with no medical professionals involved. It doesn't just magically apply because you wrote down your own medical information.
There seems to be a widespread misconception that any information covered by HIPAA is always covered, when the reality is that it's only protected health information by covered entities. There also seems to be a lot of confusion about what's a violation: as far as I know only covered entities can be liable, not people they wrongly pass information on to.
Now, if a covered medical software company accidentally let a build with accessible PHI go to Microsoft, I guess it's possible they could be HIPAA liable. But that's a pretty narrow case, and not one that's a threat to Microsoft.
Until the medical software company sues Microsoft for damages to recoup the HIPAA fine. This is probably buried in some clickwrap contract though. (IANAL; not sure how enforceable such a contract would be)
You could replace HIPAA with GDPR again, since almost any medical information about an identifiable individual will constitute sensitive personal data that requires the stronger protections under that law.
I suppose it could claim that, but I suspect it would be a tough sell with the regulators if Microsoft is uploading large amounts of data the user probably didn't even know about and some of that data turned out to include sensitive personal data.
Presumably most people don't compile that sort of data into executables, but the situation seems to be unclear about whether other types of file might also be uploaded through similar mechanisms, and there also seems to be something going on involving MS executing the files and allowing remote connectivity, so the issue still seems relevant.
I'm not sure the GDPR protections are invoked by you giving them personal data they didn't ask for, but it'd be an interesting case! (Seems like anyone could screw a company by putting their name+address in the comment field of an anonymous survey, etc?)
If the data was uploaded deliberately through a system they operated, it is hard to see how they would be anything other than the data controller within the GDPR framework, unless maybe they actively tried to avoid collecting the personal data and it was supplied anyway. But it would be hard to argue that was the case if they were uploading data in ways the user of the computer in question probably wasn't even aware of.
(As an aside, if they are sweeping data on such a broad scale without being transparent about it and the only authorisation for doing so is buried deep in some legal document, it would be interesting to consider whether they were not only potentially in breach of GDPR but also various criminal computer misuse laws.)
I couldn't find any internet information on data not deliberately collected, so it's possible that nobody has figured out how GDPR applies (or I had the wrong search terms).
Now, if a covered medical software company accidentally let a build with accessible PHI go to Microsoft, I guess it's possible they could be HIPAA liable. But that's a pretty narrow case, and not one that's a threat to Microsoft.