Novo Nordisk Breach Exposes Clinical Trial Data and Healthcare Professional Details
Danish pharmaceutical giant Novo Nordisk disclosed a data breach that exposed pseudonymized patient data from clinical trials and personal information of healthcare professionals, though manufacturing remains unaffected.
Danish pharmaceutical giant Novo Nordisk, the world's largest producer of insulin and manufacturer of the blockbuster GLP-1 drugs Wegovy and Ozempic, disclosed a data breach on Thursday that compromised patient information from some clinical trials. The company, headquartered in Bagsværd, Denmark and employing approximately 67,900 people globally, revealed that attackers accessed internal IT systems and exfiltrated data related to patients enrolled in certain clinical studies.
The breach, which Novo Nordisk reported after discovering unauthorized access on May 28, 2026, exposed pseudonymized patient data including patient IDs (random alphanumeric identifiers), information on trial participation, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as smoking habits, alcohol use, and BMI. While the data is not directly tied to specific individuals by name, the company acknowledged in a statement that non-public personal data was copied without authorization.
In addition to patient trial data, the breach also affected an undisclosed number of healthcare professionals (HCPs). Their names, registration numbers, email addresses, phone numbers, WhatsApp details, and office locations were exposed. Novo Nordisk warned the impacted HCPs to be vigilant against potential targeted phishing attacks via email, phone, WhatsApp, or fraudulent messages impersonating colleagues — a common follow-on threat in breaches involving contact information.
The company emphasized that core business operations, including the manufacturing of insulin supplies and GLP-1 receptor agonist drugs, remained unaffected. Compromised internal IT systems were taken offline as a precaution, and the company is working with external cybersecurity experts to investigate the full scope of the incident. "We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time," Novo Nordisk stated in its press release.
Novo Nordisk has not yet disclosed the root cause of the breach, the total number of impacted individuals, or the identity of the threat actors involved. When BleepingComputer reached out for additional details, a company spokesperson referred back to the official press release. The investigation remains ongoing as the company assesses what other data may have been accessed.
This incident underscores the high-value target that clinical trial data represents for threat actors — it contains sensitive health information and holds significant competitive intelligence value for the pharmaceutical industry. Novo Nordisk's position as the dominant player in diabetes and obesity treatments, with a market capitalization exceeding $500 billion, amplifies the reputational and regulatory risks from such a breach. The company now faces potential scrutiny from data protection authorities under the European Union's General Data Protection Regulation (GDPR), which mandates breach notification within 72 hours and can impose fines of up to 4% of global annual turnover.