Sara M. Goldstein

Associate

Philadelphia
T +1 215.564.1572
F +1 215.568.3439

Overview

Sara Goldstein focuses her practice on legal issues related to privacy and data protection. She has assisted clients from a variety of different industries with responding to hundreds of cybersecurity and data privacy incidents, including several of the largest data breaches in history. Sara has also prepared responses to regulatory inquiries from the Office for Civil Rights (OCR), state insurance departments, state attorneys general, and other regulators.

Prior to joining BakerHostetler, Sara was the vice president and general counsel of the nation’s second-largest provider of release of information and disclosure management services, where she was responsible for overseeing all of the company’s legal and compliance-related matters. This experience gives her a depth of knowledge regarding her clients’ needs, bringing a business-oriented perspective to her practice and allowing her to provide legal guidance that is realistic and practical for her clients.

Sara has authored a variety of articles on privacy and data security in publications such as Westlaw Journal Computer and Internet, Journal of the American Health Information Management Association, The Group Practice Journal, Compliance Today, RACMonitor.com, and Health Affairs. She has been invited to speak to organizations across the country about compliance with federal and state privacy laws and the incident response process. She is also an adjunct professor of law at Drexel University, where she teaches a course on the Health Insurance Portability and Accountability Act (HIPAA) and patient privacy.

Select Experience

  • Advises clients in the healthcare, retail, financial, higher education, and nonprofit sectors on cybersecurity and data privacy incidents in the U.S. and abroad ranging from phishing incidents to sophisticated, state-sponsored network intrusions.
  • Assists clients with investigations of data security incidents, including the selection and engagement of third-party forensic investigators and interactions with law enforcement.
  • Provides clients with guidance on federal, state, and international breach notification law requirements, as well as contractual notification obligations.
More »

Experience

  • Advises clients in the healthcare, retail, financial, higher education, and nonprofit sectors on cybersecurity and data privacy incidents in the U.S. and abroad ranging from phishing incidents to sophisticated, state-sponsored network intrusions.
  • Assists clients with investigations of data security incidents, including the selection and engagement of third-party forensic investigators and interactions with law enforcement.
  • Provides clients with guidance on federal, state, and international breach notification law requirements, as well as contractual notification obligations.
  • Drafts notification materials, including notification letters, press releases, website notices, internal client communications, and regulatory notices.
  • Coordinates the post-breach response process, including the preparation of responses to questions from notice letter recipients, employees, customers, the media, and regulators.
  • Represented clients in more than 50 post-breach investigations from the OCR, state insurance departments, state attorneys general (including multistate taskforce), and other regulators arising from large and small data security incidents.
  • Drafts website and app privacy and terms of use policies.
  • Conducts data security training and tabletop exercises for companies to help them develop their incident response plans.
  • Secondment at one of the top cybersecurity insurance carriers in the world.
  • Provided on-site support and guidance to a large health insurer following the discovery of a data security incident involving the personal information of over 3 million individuals.
  • Assisted with the drafting of regulatory notices for one of the largest data security incidents in history that involved the personal data of over 500 million individuals worldwide.
  • Served as vice president and general counsel for the second largest provider of disclosure management and release of information services in the United States.
  • Developed comprehensive HIPAA privacy and security policies and procedures, business associate agreements, privacy notices, and training materials.
  • Drafted company policies and procedures.
  • Provided guidance on HIPAA, health information management, and privacy to healthcare providers across the country.

Recognitions and Memberships

Memberships

  • International Association of Privacy Professionals
  • Association of Health Information Outsourcing Services

Community

  • Morris Arboretum of the University of Pennsylvania 
  • Drexel University Thomas R. Kline School of Law
    • Co-op Supervisor
    • Adjunct Professor of Law
    • Guest lecturer 

Prior Positions

  • MRO Corporation: Vice President and General Counsel 
    • General Counsel (2016 to 2017)
    • Privacy and Compliance Counsel (2015 to 2016)

Admissions

  • Pennsylvania
  • New Jersey

Education

  • J.D., Health Law, Drexel University Thomas R. Kline School of Law, 2011
  • B.A., Government and Italian, Smith College, 2008

Languages

  • Italian

Blog

In The Blogs

Previous Next
Data Privacy Monitor
New HHS Rules Give Patients ‘Unprecedented' Digital Access to Their Own Health Data but May Put Privacy at Risk
By Stefanie L. Ferrari, Sara M. Goldstein
March 13, 2020
On Monday, the U.S. Department of Health and Human Services (HHS) issued what it calls “transformative” rules that will govern how healthcare providers, insurers and technology vendors must design their systems to give patients safe and...
Read More ->
Data Privacy Monitor
Federal Court Invalidates 2013 HIPAA Omnibus Rule Regulations and HHS Guidance on Fees for Copies of Medical Records
By Sara M. Goldstein, Alexandra Royal, Aleksandra Vold
January 31, 2020
In what is being seen as a strong rebuke to years of regulatory overreach, the United States District Court for the District of Columbia entered an order on January 23, 2020 that invalidates provisions of the 2013 Omnibus Rule to the...
Read More ->
Data Privacy Monitor
Settlement Reached Between Neiman Marcus and State Attorneys General for $1.5 Million for 2013 Payment Card Breach
By Sara M. Goldstein
January 18, 2019
Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card...
Read More ->
Data Privacy Monitor
A New Year Brings a New Vermont Law Aimed at Data Brokers and Credit Reporting Agencies
By Sara M. Goldstein
January 15, 2019
On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on “data brokers,” companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data...
Read More ->
Data Privacy Monitor
New Mexico Attorney General Is Turning Up the Heat on Enforcement of Data Privacy Laws
By Sara M. Goldstein
September 18, 2018
With the announcement last week of its new lawsuit against several tech companies for violating Children’s Online Privacy Protection Act (“COPPA”), the FTC Act, and New Mexico’s Unfair Practices Act (“UPA”), the State of New Mexico Office...
Read More ->