It does not.
The Cloud Act was snuck through into US legislation on March 22, 2018. It gives US authorities the power to require US companies to divulge data stored on servers housed outside of the US without disclosure.
If sending PicSafe reports via email, no patient data ever travels through PicSafe's servers. A report is encrypted and attached to an email on the phone. The email is sent to the recipient and PicSafe does not ever see the data.
If sending via Text message or WhatsApp, PicSafe does have patient data travel through its servers (located in Toronto for Canadian users). PicSafe uses Amazon Web Services for hosting. However, the Cloud Act should not have a bearing on you. See the explanation below.
Just about anything online can be compromised given the motivation and skill. Data security is largely influenced by:
Security efforts focus on increasing the risk a perpetrator gets caught and increasing the required resources, time and skill. This is the same as the security of physical items. A bank vault can be compromised by a motivated perpetrator with the appropriate time, resources and skill. One wants to add security measures to make the cost/benefit tradeoff of a "hack" seem very much unattractive.
The Cloud Act certainly makes it uncomfortable to think that the US government can access personal data not even stored in the US, regardless of its justification being it is it to prevent criminal activity. That sounds scary until you look at it in context.
Regulators in Canada already trust US companies with patient data. Regarding being able to satisfy privacy regulations, the Cloud Act should not change anything.
PicSafe provides a level of security that far exceeds that using the default camera app and sending via SMS. PicSafe also provides a level of security that, we feel, far exceeds what is reasonably expected by regulations. Anyone claiming more than that is either lying or naive.