Novo Nordisk is investigating a cyber incident involving unauthorized access to internal IT systems, during which certain non-public clinical trial data was copied externally.

 

What happened

According to Reuters, the Danish pharmaceutical giant Novo Nordisk confirmed on June 11, 2026, that it had experienced a cybersecurity incident involving unauthorized access to parts of its internal IT systems. The breach led to certain data connected to clinical trials being copied externally without permission. The affected information relates to participants in ongoing or past clinical studies, particularly health and demographic data.

Novo Nordisk responded by launching an internal investigation, working with external cybersecurity experts, and notifying relevant authorities. Some internal systems were temporarily taken offline as a precaution, but core operations were not disrupted.

 

Going deeper

The breach primarily affects data from clinical trial environments rather than commercial or patient treatment systems. The exposed data may include patient ID, year of birth, sex, and health or immunogenicity data. Novo Nordisk stated that the dataset does not include direct identifiers such as names or contact details. The company also emphasized that its core business systems remain secure and that there is currently no evidence of immediate operational disruption or risk to patients.

 

What was said

In its breach notification, Novo Nordisk confirmed that it identified “unauthorised access to a limited number of internal IT systems,” and that “certain non-public data, including personal data, were copied externally without authorisation.” The company said the affected information relates to clinical trial participants and is still being assessed as part of an ongoing investigation. It added that the exposed dataset is not believed to contain direct identifiers such as names or contact details, meaning it would not easily allow individuals to be identified.

In response to the incident, Novo Nordisk said that “multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment.”

The company emphasized that its core operations remain unaffected and continue to run normally, while cybersecurity specialists work alongside internal teams to contain and investigate the breach. It also confirmed that it is cooperating with relevant authorities and notifying impacted individuals where appropriate as the investigation continues.

 

The bigger picture

Clinical trial data capture detailed, structured records of patients’ medical conditions, treatments, and responses to investigational drugs. Even when datasets are “de-identified,” they can still contain rich combinations of demographic and clinical variables that may be vulnerable to re-identification when paired with other data sources. This makes clinical research databases a high-value target for cybercriminals. Unlike standard patient records used in routine care, trial data often includes early-stage drug information, efficacy signals, and commercially sensitive safety outcomes. In the wrong hands, this information can be exploited for competitive advantage, intellectual property theft, or targeted phishing attacks against research participants or investigators.

Breach risk is further elevated because clinical trials typically involve multiple stakeholders, including pharmaceutical companies, contract research organizations, academic institutions, and cloud-based data platforms. Each connection point increases the potential attack surface, particularly when legacy systems or third-party vendors are involved.

 

In other news

Similar to the Novo Nordisk cyber incident, in April 2026, Medtronic confirmed a cybersecurity breach involving unauthorized access to its corporate IT systems, following claims by the cybercrime group ShinyHunters that it exfiltrated internal company data. The medical device manufacturer said the incident affected “certain corporate IT systems,” while stressing that its core operations, including patient safety and product manufacturing, were not impacted.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQS

Is “de-identified” data completely safe?

Not always. While de-identified data removes direct identifiers like names, it can sometimes still be re-identified if combined with other datasets, especially when it contains detailed health or demographic information.

 

Who is responsible for protecting sensitive data in a clinical trial?

The responsibility for protecting sensitive data in clinical trials is shared among multiple stakeholders, with the primary responsibility lying with the trial sponsor. Other parties involved in the trial are also tasked with adhering to strict protocols for managing participant data. Oversight from ethics committees and regulatory authorities further ensures adherence to standards for participant privacy and data protection.