Sara Goldstein

Subscribe to all posts by Sara Goldstein

Pennsylvania’s Data Breach Notification Law Is Changing: What Does It Mean for Entities Doing Business in the Keystone State?

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Data Breach Notification Laws, Data Breaches
2023 is going to bring big changes to Pennsylvania’s Breach of Personal Information Notification Act. Although the revisions to the law do not go into effect until May 2, 2023, now is the time for Pennsylvania entities to ensure that they are in compliance before the effective date.… Continue Reading

Sounding the Alarm: New Federal Law Will Mandate the Reporting of Cybersecurity Incidents Involving Critical Infrastructure – What Companies Need to do now to be Prepared

Photo of Sara GoldsteinPhoto of Kimberly GordyPhoto of Thomas MoranBy Sara Goldstein, Kimberly Gordy and Thomas Moran on Posted in Cybersecurity
In response to increased and persistent cybersecurity threats to American infrastructure, Congress passed the Strengthening American Cybersecurity Act (SACA), which President Joe Biden signed into law on March 15. SACA is likely the first of many steps toward a federal privacy and breach notification framework. Included in SACA is the Cyber Incident Reporting for Critical … Continue Reading

New Director of HHS Office for Civil Rights Announced: What could Lisa J. Pino’s appointment mean for future HIPAA enforcement?

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Cybersecurity, Enforcement, Healthcare, HHS, HIPAA/HITECH
More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021. As the new director of the OCR, Pino will be responsible for enforcing the Health Insurance … Continue Reading

Dramatic Increase in the Number of Third-Party Vendor Incidents Emphasizes the Need for Better Vendor Due Diligence Processes

Photo of Sara GoldsteinBy Sara Goldstein and David Kitchen on Posted in Third-Party Vendor Incidents
As reflected in our 2021 Data Security Incident Response Report  2020 saw a sharp spike in the number of incidents involving vendors, which amounted to over 25 percent of the total incidents handled in 2020, and the trend is continuing well into 2021. This spike resulted from companies’ increased reliance on vendors to carry out … Continue Reading

Executive Order on Improving the Nation’s Cybersecurity: What Does It Mean for Business?

Photo of Sara GoldsteinPhoto of Jessica LoweryBy Sara Goldstein and Jessica Lowery on Posted in Cybersecurity
In response to recent highly publicized cybersecurity incidents, President Biden signed an Executive Order on May 12, 2021, that contains eight key initiatives aimed at modernizing the federal government’s response to cyberattacks. Although the initiatives outlined in the Executive Order only apply to federal contractors (many of which already comply with agency-specific cybersecurity rules), all … Continue Reading

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

Photo of Sara GoldsteinPhoto of Jessica Captain NovickPhoto of Lynn SessionsBy Sara Goldstein, Jessica Captain Novick and Lynn Sessions on Posted in HHS, HIPAA/HITECH
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 … Continue Reading

Compliance and Cybersecurity Best Practices Rewarded with HIPAA Safe Harbor

Photo of Vimala DevassyPhoto of Sara GoldsteinPhoto of Kyle GregoryBy Vimala Devassy, Sara Goldstein and Kyle Gregory on Posted in Healthcare, HIPAA/HITECH
On January 5, 2021, H.R. 7898 was signed into law with little fanfare, thereby amending the Health Information Technology for Economic and Clinical Health Act.[1] As the healthcare industry continues to serve as one of the top targets for cybersecurity threat actors, the amendment creates a “HIPAA safe harbor” that should hopefully provide some much-needed relief to those … Continue Reading

CISA Updates Advisory on Large-Scale Impending and Credible Ransomware Threat to Healthcare to Include Additional IOCs

Photo of Aleksandra VoldPhoto of Sara GoldsteinBy Aleksandra Vold and Sara Goldstein on Posted in Healthcare, HHS
On Oct. 28, a joint cybersecurity advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health & Human Services. The advisory warned of an imminent cybercrime threat to U.S. hospitals and healthcare providers – specifically that a large-scale ransomware attack may be on the very near horizon. BakerHostetler’s coverage … Continue Reading

Healthcare Providers Remain Targets for Ransomware Attacks in the Midst of COVID-19 Pandemic

Photo of Benjamin WangerPhoto of Sara GoldsteinBy Benjamin Wanger and Sara Goldstein on Posted in Ransomware
Although it was widely reported that several ransomware threat actor groups have pledged to not target healthcare providers until the COVID-19 pandemic is over, BakerHostetler’s Digital Assets and Data Management Practice Group and Healthcare Privacy and Compliance team continue to see ransomware attacks launched against healthcare providers. In order to combat the COVID-19 pandemic, healthcare … Continue Reading

New HHS Rules Give Patients ‘Unprecedented’ Digital Access to Their Own Health Data but May Put Privacy at Risk

Photo of Stefanie FerrariPhoto of Sara GoldsteinBy Stefanie Ferrari and Sara Goldstein on Posted in HHS
On Monday, the U.S. Department of Health and Human Services (HHS) issued what it calls “transformative” rules that will govern how healthcare providers, insurers and technology vendors must design their systems to give patients safe and secure access to their health data. Issued by two different agencies within HHS – the Office of the National … Continue Reading

Federal Court Invalidates 2013 HIPAA Omnibus Rule Regulations and HHS Guidance on Fees for Copies of Medical Records

Photo of Sara GoldsteinPhoto of Aleksandra VoldPhoto of BakerHostetlerBy Sara Goldstein, Aleksandra Vold and BakerHostetler on Posted in HHS, HIPAA/HITECH
In what is being seen as a strong rebuke to years of regulatory overreach, the United States District Court for the District of Columbia entered an order on January 23, 2020 that invalidates provisions of the 2013 Omnibus Rule to the Health Insurance Portability and Accountability Act (“HIPAA”) and 2016 guidance issued by United States … Continue Reading

Settlement Reached Between Neiman Marcus and State Attorneys General for $1.5 Million for 2013 Payment Card Breach

Photo of Sara GoldsteinBy Aaron Lancaster and Sara Goldstein on Posted in Data Breaches, Incident Response
Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers. On Jan. 10, 2014, Neiman Marcus publicly announced that it … Continue Reading

A New Year Brings a New Vermont Law Aimed at Data Brokers and Credit Reporting Agencies

Photo of Sara GoldsteinBy Laura E. Jehl and Sara Goldstein on Posted in Consumer Data, State Legislation
On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on “data brokers,” companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data brokers must comply with registration, information security safeguards and reporting requirements, while credit reporting agencies are prohibited from … Continue Reading

New Mexico Attorney General Is Turning Up the Heat on Enforcement of Data Privacy Laws

Photo of Sara GoldsteinBy Sara Goldstein and Aaron Lancaster on Posted in Children’s Privacy, State Legislation
With the announcement last week of its new lawsuit against several tech companies for violating Children’s Online Privacy Protection Act (“COPPA”), the FTC Act, and New Mexico’s Unfair Practices Act (“UPA”), the State of New Mexico Office of the Attorney General appears to be the latest in an expanding list of state attorneys general who … Continue Reading

Is a New Federal Data Privacy Law on the Horizon? The Tech Industry Sure Hopes So

Photo of Sara GoldsteinBy Laura E. Jehl and Sara Goldstein on Posted in Federal Legislation, Privacy Litigation
Despite several failed attempts in recent years, there is a new effort underway to enact a federal data privacy law, and it’s being led by a somewhat unlikely source – the tech industry. Although they were resistant to a federal privacy law in the past, powerful tech industry players now appear to be publicly embracing … Continue Reading

New Jersey Attorney General’s Office Ramping Up Data Privacy and Cybersecurity Enforcement Efforts

Photo of Sara GoldsteinBy Sara Goldstein on Posted in State Legislation
The Office of the New Jersey Attorney General (AG’s Office) recently announced that it will be creating a new civil enforcement unit, known as the Data Privacy & Cybersecurity Section (DPC Section), to investigate data breaches impacting New Jersey residents and to enforce federal and state data privacy and cybersecurity laws. New Jersey’s AG joins … Continue Reading

Last but not least: Alabama enacts a data breach notification law with strong notification and security requirements

Photo of Andreas KaltsounisPhoto of Sara GoldsteinBy Andreas Kaltsounis and Sara Goldstein on Posted in Data Breach Notification Laws
Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws. The Alabama Data Breach Notification Act of 2018 takes effect on May 1, 2018, and imposes information security, breach notification and data disposal requirements on organizations handling Alabama residents’ personal information. Alabama requires organizations to implement and … Continue Reading

South Dakota Becomes 49th State to Enact a Data Breach Notification Law

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Data Breach Notification Laws
One of two remaining states without a data breach notification law has finally enacted one of its own. On March 21, 2018, South Dakota Governor Dennis Daugaard signed South Dakota Senate Bill 62 into law, creating the newest state data breach notification law, making Alabama the last holdout. South Dakota’s new statute, which will be … Continue Reading

Industry Watchdog Reminds Digital Advertisers of the Importance of Providing Consumers With Transparency and Choice in Latest Enforcement Actions

Photo of Sara GoldsteinBy Alan L. Friel and Sara Goldstein on Posted in Advertising
Two digital advertising companies, Adbrain and Exponential Interactive, were cited in recent decisions by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for not complying with the online advertising industry’s requirements for interest-based advertising (IBA), the practice of tracking users across time and services to build interest profiles on them in order to … Continue Reading
LexBlog