"While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation," Novo Nordisk said in a disclosure on Thursday.
What was exposed: clinical trial data and healthcare professional records
According to the company, attackers gained access to internal IT systems and data related to patients participating in some clinical trials. The information copied externally included patient IDs (described as random alphanumeric strings) and trial-related details such as participation status, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors including smoking, alcohol use, and body mass index (BMI). Novo Nordisk says this trial data was pseudonymized and "not directly linked to any patients by name or other direct identifiers."
The breach also affected an undisclosed number of healthcare professionals (HCPs). Exposed HCP data reportedly contains names, registration numbers, e-mail addresses, phone numbers, WhatsApp details, and office locations.
How Novo Nordisk responded and the operational posture
Upon detecting the incident, Novo Nordisk took the compromised internal IT systems offline, the company said, and engaged external cybersecurity experts to investigate and assess the full impact and scope. The company added it is "working to bring the affected systems back online in a controlled and safe manner," while noting that its "core business operations are not impacted and remain up and running."
Novo Nordisk also stated, "This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials."
The company has not disclosed when the breach was detected or how many individuals had personal or patient data exposed. A Novo Nordisk spokesperson was not immediately available for comment when BleepingComputer reached out for more details on the attack.
Risks for healthcare professionals: phishing and impersonation
Novo Nordisk warned affected HCPs to be wary of unexpected messages or calls. The company said attackers may target exposed HCP contact details in phishing attempts via e-mail, phone, WhatsApp, or through fraudulent messages impersonating colleagues. Given the specific contact fields listed as exposed, the company’s advisory centers on the real possibility that attackers could use revealed names, registration numbers, e-mails, phones and office locations to craft believable social-engineering lures.
What this means for patients in Novo Nordisk trials, healthcare professionals, and technologists
- Patients in Novo Nordisk trials: The company emphasizes that the trial data copied was pseudonymized and not directly linked to names or other direct identifiers. Participants will need to monitor communications and any notifications from Novo Nordisk while the company completes its investigation.
- Healthcare professionals: Those whose names and contact information were exposed should expect targeted phishing risk and should follow any guidance from Novo Nordisk about suspicious messages. The company explicitly warned HCPs to be cautious of unsolicited contact that could impersonate colleagues.
- Technologists and incident responders: Novo Nordisk has engaged external cybersecurity experts and taken affected systems offline while restoring them "in a controlled and safe manner." Security teams involved in similar incidents will focus on containment, forensic analysis of the copied data, and validating that pseudonymization protections were sufficient to prevent re-identification without access to underlying identifiers.
Conclusion
Novo Nordisk, the Danish company founded in 1923 and described in its notice as the world's largest producer of insulin and the maker of GLP-1 drugs Wegovy and Ozempic, confirmed a breach that touched both clinical trial records and healthcare professional contact data. The firm says its core operations were not disrupted and that exposed trial datasets were pseudonymized and not directly identifiable by name. Key facts remain undisclosed by the company: the date the breach was discovered and the number of affected individuals. Novo Nordisk is investigating with external experts and informing impacted parties "as appropriate," while advising HCPs to watch for phishing and impersonation attempts as the company works to restore affected systems.
