www.it-connect.fr
Novo Nordisk Cyberattack Exposes Clinical Trial Data
Danish pharmaceutical giant Novo Nordisk has just disclosed a data breach. Attackers broke into its internal IT systems and copied information related to patients taking part in clinical trials, as well as data belonging to healthcare professionals. Here’s what we know so far.
Pseudonymized patient data, but still exfiltrated
Founded in 1923, Novo Nordisk now employs around 67,900 people across 80 offices worldwide. It is therefore a prime target for cybercriminals... And that is now a reality: in a statement published this Thursday, June 11, 2026, the Danish lab confirmed that attackers had accessed its internal IT systems.
Which data is affected? That is the question that always comes up when an intrusion is reported. In this case, the exfiltrated information concerns patients who took part in certain clinical trials, namely:
- Patient identifiers (random alphanumeric strings),
- Information related to trial participation,
- Sex and year of birth,
- Biomarkers as well as health and immunogenicity data,
- Lifestyle factors: smoking, alcohol consumption, and BMI.
"Although our investigation and response are still ongoing, we have discovered that certain non-public data, including personal data, was copied out without authorization. We are notifying the relevant parties as appropriate.", said Novo Nordisk.
When health data is involved, the impact can quickly become significant. However, in the case of the Novo Nordisk incident, there is good news: the data is pseudonymized. In other words, by itself, it does not allow the patients concerned to be identified by name.
"This information is not directly linked to patients by name or other direct identifiers. Identifying an individual would therefore require access to the underlying information identifying patients by name, etc. That information was not exposed. We therefore consider that this incident does not allow any third party to identify participants in our clinical trials.", the lab added.
Although the number of affected patients is said to be limited, Novo Nordisk did not specify how many in its press release.
Healthcare professionals exposed to phishing risk
Bad news, however, for healthcare professionals: they do not benefit from this pseudonymization. The data breach also affects caregivers, whose following information was exposed: names, registration numbers, email addresses, phone numbers, WhatsApp IDs, and practice addresses.
With this data in their hands, the attackers have everything they need to launch targeted phishing campaigns. These could take the form of targeted SMS or WhatsApp messages, and even phone calls.
The ongoing investigation should make it possible to determine how many caregivers were affected by this cyberattack. Even though Novo Nordisk's core operations were not impacted by the incident, the compromised systems have been taken offline.
An affair to keep an eye on, then...
