Novo Nordisk discloses breach of clinical trial data affecting patients and healthcare professionals

At a glance:

• Novo Nordisk disclosed a breach that exposed pseudonymized clinical‑trial patient data and personal details of healthcare professionals.
• The attackers accessed internal IT systems, copying patient IDs, trial participation info, demographics, biomarkers, lifestyle factors, and HCPs’ names, contacts, and office locations.
• Novo Nordisk says core business operations remain unaffected, has taken compromised systems offline, and is investigating with external cybersecurity experts.

What happened

On Thursday, Danish pharmaceutical giant Novo Nordisk - the world's largest producer of insulin and maker of the GLP-1 receptor agonist drugs Wegovy and Ozempic - announced that attackers had gained access to its internal IT systems and copied data related to patients enrolled in some clinical trials. The company, founded in 1923 and now employing roughly 67,900 people across 80 offices worldwide, said the exposed information included patient IDs (random alphanumeric strings), trial participation details, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors such as smoking, alcohol use, and body-mass index.

In a statement, Novo Nordisk emphasized that the data was pseudonymized, meaning the attackers cannot directly identify any trial participant by name. "While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate," the company said, adding that the information is not linked to any patients by name or other direct identifiers and therefore does not enable third parties to identify clinical-trial participants.

Impact on patients and healthcare professionals

Although the patient data is pseudonymized, the breach still reveals sensitive trial-related details that could be valuable to competitors or malicious actors seeking insights into Novo Nordisk's drug development pipeline. The exposed fields cover demographic and clinical readouts that, when combined with other datasets, might increase re-identification risk, though the company maintains that direct identification remains impossible without access to the underlying key.

The incident also disclosed personal information of an undisclosed number of healthcare professionals (HCPs). Their names, registration numbers, e-mail addresses, phone numbers, WhatsApp details, and office locations were exposed. Novo Nordisk warned these HCPs to be alert for unexpected messages or calls, noting that attackers could use the stolen data for phishing attempts via e-mail, phone, WhatsApp, or fraudulent messages impersonating colleagues.

Response and investigation

Upon discovering the breach, Novo Nordisk took the compromised internal IT systems offline while confirming that its core business operations - including manufacturing, sales, and distribution of Wegovy, Ozempic, and other products - were not impacted and remain fully operational. The company has engaged external cybersecurity experts to conduct a thorough forensic analysis, determine the full scope of the exfiltration, and recommend remediation steps.

Novo Nordisk stated that it is working to bring the affected systems back online in a controlled and safe manner, acknowledging that the process will take time. The firm has not yet disclosed when the breach was first detected or how many individuals had their personal and patient data exposed. An update posted on June 12 at 06:28 EDT noted that the company's press release had been shared with outlets such as BleepingComputer for further comment.