Pierluigi Paganini
June 15, 2026
The Danish pharmaceutical giant Novo Nordisk disclosed a cybersecurity breach that resulted in unauthorized access to internal IT systems and the theft of personal data. The company sells some of the most in-demand drugs on the planet right now, which makes it an obvious target. Attackers got in, copied data, and left.
The company’s incident page was updated in stages as the investigation progressed.
“Novo Nordisk A/S recently identified an IT security incident involving unauthorised access to a limited number of internal IT systems.” reads the notice published by the company. “The incident included unauthorised access to certain personal data stored on the internal IT systems.”
That’s the confirmation that this wasn’t just unauthorized access to systems; data actually left the building.
Two groups were affected: clinical trial patients and healthcare providers. For patients, the data is pseudonymized, which limits the immediate damage but doesn’t make it irrelevant.
The company was direct about what the exposed patient data doesn’t include.
“The incident affected a limited amount of information related to patients participating in some of our clinical trials. This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc.” continues the notice. “This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials.”
What was exposed includes randomly assigned patient IDs, trial participation details, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors like smoking, alcohol use, and BMI. Not all patients had all categories exposed.
The picture is different for healthcare providers. Their data is not pseudonymized. Names, registration numbers, email addresses, phone numbers, WhatsApp details, and office locations may have been compromised.
A doctor’s contact details are directly identifiable and immediately useful for phishing or social engineering, so that group has more to worry about than clinical trial participants.
No ransomware group or threat actor has publicly claimed responsibility, which either means it was a quieter operation focused on data theft rather than extortion, or that a claim is still coming. Novo Nordisk brought in external cybersecurity experts, notified the relevant authorities, and took some internal systems temporarily offline as a containment measure.
“As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment.” concludes the notice. “We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time. “
Patients are told they don’t need to take any specific action, but the company does recommend they stay alert and report anything unusual they believe could be connected to the incident. Questions can be directed to [email protected].
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Novo Nordisk)
