Danish pharmaceutical giant Novo Nordisk, the world’s largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials.
Founded in 1923, Novo Nordisk now employs around 67,900 people across 80 offices worldwide and is the maker of viral GLP-1 receptor agonist drugs Wegovy and Ozempic.
The company revealed on Thursday that attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs (random alphanumeric strings) and information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors (e.g., smoking, alcohol use, BMI).
However, Novo Nordisk said that this data was pseudonymized and that the attackers can’t use it to identify any affected patients by name.
“While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate,” the company said.
“This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials.”
The data breach also affects an undisclosed number of healthcare professionals (HCPs), whose names, registration numbers, e-mail addresses, phone numbers, WhatsApp details, and office locations have been exposed.
Novo Nordisk warned affected HCPs to be wary of unexpected messages or calls, as they may be targeted in phishing attacks via e-mail, phone, WhatsApp, or fraudulent messages impersonating their colleagues.
The company has taken the compromised internal IT systems offline but noted that its core business operations were not impacted. Novo Nordisk is now investigating the incident with the help of external cybersecurity experts to assess the full impact and scope of the breach.
“We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time. Our core business operations are not impacted and remain up and running,” Novo Nordisk added.
Novo Nordisk has yet to disclose when the breach was detected and how many individuals had their personal and patient data exposed.
When BleepingComputer reached out for more details on the attack, a Novo Nordisk spokesperson referred us back to the company’s press release.
Update June 12, 06:28 EDT: Added Novo Nordisk reply.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
