Attorney Karen Mandelbaum has deep experience in all aspects of systems security and data protection from her work as a privacy and cybersecurity official at the Centers for Medicare & Medicaid Services (CMS) and in the private sector.

Karen's work includes the following:

  • Guiding clients through complex and evolving privacy, cybersecurity, artificial intelligence, interoperability, digital health, telehealth, fraud and abuse, and other laws and regulations
  • Advising clients on all aspects of federal and state privacy and consumer data protection laws and regulations, including HIPAA, HITECH, and 42 CFR Part 2
  • Helping to design and develop effective data governance strategies that maximize value and encourage trust 
  • Advising on the development and implementation of cybersecurity and privacy programs, designing information system security and privacy policies, implementing and operationalizing privacy and security controls, and designing metrics to monitor program compliance
  • Helping clients to develop security and privacy incident reporting and breach notification plans and processes, respond to cyber incidents and data breaches, and mitigate the impacts of data loss
  • Advising clients on provider reimbursements, Medicare, Medicaid, Affordable Care Act programs, health reform, innovation, and value-based care models

Read more

Before joining Epstein Becker Green, Karen served as the Senior Advisor for Security & Privacy Policy and Governance to the Chief Information Officer, Chief Information Security Officer, and Senior Official for Privacy in the Office of Information Technology at CMS, where she was responsible for developing and implementing an integrated approach to CMS’s cybersecurity and privacy program. She was previously a Privacy Policy Subject Matter Expert at the Center for Consumer Information & Insurance Oversight (CCIIO), responsible for defining the scope of privacy requirements and the privacy policy program for the health insurance exchanges and the Federally-Facilitated Marketplace. Earlier in her career, she served as General Counsel and the Privacy and Security Officer of a national health care technology company and then was an attorney at a law firm in Minnesota, where she acted as outside counsel for small and mid-sized business clients on all health care-related privacy and compliance matters.

Karen received the 2018 CMS Administrator’s Honor Award for Execution of Major Projects in appreciation of her contributions to the New Medicare Card Initiative. She also received the 2017 Administrator’s Honor Award for Organizational Excellence in recognition of her contributions to developing the Website Notices for Healthcare.gov and Medicare.gov as part of the Office of Communications Marketing and Privacy Team.

Read less

Focus Areas





  • Carlson School of Management (M.H.A., 2007)
  • William Mitchell College of Law (J.D., 2004)
  • University of Minnesota (B.A., 2000)

Bar Admissions

Board of Directors

  • Maryland/Israel Development Center (2023 to present)





Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.