Sara M. Goldstein

She | Her | Hers

Partner

Philadelphia
T +1 215.564.1572
F +1 215.568.3439

Overview

Named a 2021 "Rising Star" by Law360 and a 2021 "Lawyer on the Fast Track" by The Pennsylvania Legal Intelligencer, Sara Goldstein has advised hundreds of clients from a variety of different industries on responding to cybersecurity and data privacy incidents, including several of the largest data breaches to date. 

Sara has led BakerHostetler’s response to several large, high-profile data security incidents, including one incident at a cloud software company that involved the data of several hundred firm clients. As the leader of these matters, Sara developed the strategy for the incident response process, oversaw the team of attorneys working directly with clients, and created processes and protocols for the attorney team to follow.

Prior to joining BakerHostetler, Sara was the vice president and general counsel of the nation’s second-largest provider of release of information and disclosure management services, where she was responsible for overseeing all of the company’s legal and compliance-related matters. This experience gives her a depth of knowledge regarding her clients’ needs, bringing a business-oriented perspective to her practice and allowing her to provide legal guidance that is realistic and practical for her clients.

Sara has authored a variety of articles on privacy and data security in publications such as Westlaw Journal Computer and Internet, Journal of the American Health Information Management Association, The Group Practice Journal, Compliance Today, RACMonitor.com, and Health Affairs. She has been invited to speak to organizations across the country about compliance with federal and state privacy laws and the incident response process. She also served as an adjunct professor of law at Drexel University, where she taught a course on the Health Insurance Portability and Accountability Act (HIPAA) and patient privacy.

Select Experience

  • Advises clients in the healthcare, retail, financial, higher education, and nonprofit sectors on responding to cybersecurity and data privacy incidents in the U.S. and abroad ranging from phishing incidents to sophisticated, state-sponsored network intrusions.
  • Leads investigations of data security incidents, including the selection and engagement of third-party forensic investigators and interactions with law enforcement.
  • Provides clients with guidance on federal, state, and international breach notification law requirements, as well as contractual notification obligations.
More »

Experience

  • Advises clients in the healthcare, retail, financial, higher education, and nonprofit sectors on responding to cybersecurity and data privacy incidents in the U.S. and abroad ranging from phishing incidents to sophisticated, state-sponsored network intrusions.
  • Leads investigations of data security incidents, including the selection and engagement of third-party forensic investigators and interactions with law enforcement.
  • Provides clients with guidance on federal, state, and international breach notification law requirements, as well as contractual notification obligations.
  • Drafts notification materials, including notification letters, press releases, website notices, internal client communications, and regulatory notices.
  • Oversees the post-breach response process, including the preparation of responses to questions from notice letter recipients, employees, customers, the media, and regulators.
  • Represents clients in post-breach investigations from the United States Department of Health and Human Services Office for Civil Rights, state insurance departments, state attorneys general (including multistate taskforce), and other regulators arising from large and small data security incidents.
  • Drafts website and app privacy and terms of use policies.
  • Oversees the firm's response to a large, high-profile data security incident that occurred at a cloud software company that involved the data of several hundred firm clients.
  • Provides guidance on HIPAA, health information management, and privacy to healthcare providers across the country.
  • Drafts website and app privacy and terms of use policies.
  • Conducts data security training and tabletop exercises for companies to help them develop their incident response plans.
  • Completed a secondment at one of the top cybersecurity insurance carriers in the world.
  • Provided on-site support and guidance to a large health insurer following the discovery of a data security incident involving the personal information of over 3 million individuals.
  • Drafted the regulatory notices for one of the largest data security incidents in history that involved the personal data of over 500 million individuals worldwide.
  • Served as vice president and general counsel for the second largest provider of disclosure management and release of information services in the United States.
  • Developed comprehensive HIPAA privacy and security policies and procedures, business associate agreements, privacy notices, and training materials.
  • Drafted company policies and procedures.

Recognitions and Memberships

Recognitions

  • Law360: Cybersecurity and Privacy: Rising Star (2021)
  • The Pennsylvania Legal Intelligencer: Lawyers on the Fast Track (2021)

Memberships

  • International Association of Privacy Professionals
  • Association of Health Information Outsourcing Services

Community

  • Morris Arboretum of the University of Pennsylvania 
  • Drexel University Thomas R. Kline School of Law
    • Co-op Supervisor
    • Adjunct Professor of Law
    • Guest lecturer 

Prior Positions

  • MRO Corporation: Vice President and General Counsel 
    • General Counsel (2016 to 2017)
    • Privacy and Compliance Counsel (2015 to 2016)

Admissions

  • Pennsylvania
  • New Jersey

Education

  • J.D., Health Law, Drexel University Thomas R. Kline School of Law, 2011
  • B.A., Government and Italian, Smith College, 2008

Languages

  • Italian

Blog

In The Blogs

Previous Next
Data Counsel
New Director of HHS Office for Civil Rights Announced: What could Lisa J. Pino's appointment mean for future HIPAA enforcement?
By Sara M. Goldstein
September 28, 2021
More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021. As the new...
Read More ->
Data Counsel
Executive Order on Improving the Nation's Cybersecurity: What Does It Mean for Business?
By Sara M. Goldstein, Jessica S. Lowery
May 13, 2021
In response to recent highly publicized cybersecurity incidents, President Biden signed an Executive Order on May 12, 2021, that contains eight key initiatives aimed at modernizing the federal government’s response to cyberattacks...
Read More ->
Data Counsel
Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?
By Jessica Captain Novick, Sara M. Goldstein, Lynn Sessions
January 27, 2021
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare...
Read More ->
Data Counsel
Compliance and Cybersecurity Best Practices Rewarded with HIPAA Safe Harbor
By Vimala Devassy, Sara M. Goldstein, Kyle R. Gregory
January 13, 2021
On January 5, 2021, H.R. 7898 was signed into law with little fanfare, thereby amending the Health Information Technology for Economic and Clinical Health Act.[1] As the healthcare industry continues to serve as one of the top targets for...
Read More ->
Data Counsel
CISA Updates Advisory on Large-Scale Impending and Credible Ransomware Threat to Healthcare to Include Additional IOCs
By Sara M. Goldstein, Aleksandra Vold
October 30, 2020
On Oct. 28, a joint cybersecurity advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health & Human Services. The advisory warned of an imminent cybercrime threat to U.S...
Read More ->