Novo Nordisk probes cyber breach involving clinical trial patient data

The most sensitive part of Novo Nordisk’s cyber incident was not just that someone got inside the company’s network, but that clinical-trial information was copied out of internal systems without permission. That puts patient trust at the center of the breach, because people who joined studies did so with the expectation that their personal data would be protected.

In an update on June 11 at 17.30 CEST, Novo said the incident involved unauthorized access to a limited number of internal IT systems and that certain personal data stored on those systems were involved. A patient letter said the data had been de-identified and did not include names or other direct identifiers, but did include year of birth, biomarkers and lifestyle factors. Novo said it launched an investigation with external cybersecurity experts, is in contact with relevant authorities and temporarily took some internal systems offline while it works to bring them back online in a controlled and safe manner.

The company said it does not consider the incident to pose any immediate risk to patients and that core business operations remain up and running. Even so, Novo told affected trial participants to remain vigilant and report anything unusual that might be linked to the incident. It also said it was informing impacted parties as appropriate, signaling that the scope of the review is still being mapped.

The breach lands at a delicate moment for Novo Nordisk, founded in 1923 and headquartered in Denmark. On June 7, the drugmaker said Wegovy pill prescriptions had surpassed 3 million, underscoring the intense attention on its obesity portfolio and the commercial stakes around its pipeline. For a company under that level of scrutiny, any compromise involving trial data can quickly become a question not only of privacy, but also of trial integrity, regulatory oversight and internal controls.

The episode also fits a broader healthcare pattern. A 2025 summary of U.S. healthcare breaches counted 772 incidents affecting 500 or more individuals and 139,721,832 people in total. For drugmakers running large clinical programs across multiple countries, the lesson is becoming harder to ignore: cybersecurity is now a core operational risk, not an IT side issue.