Cyber Incident Victim: Novo Nordisk
Date:
Jun 2026
Location:
Denmark
Summary
Novo Nordisk experienced a cyberattack that led to the exfiltration of data from its internal systems, including clinical trial and healthcare provider information. The exposed patient data consisted of deidentified identifiers, sex, biomarkers, health and immunogenicity details, and lifestyle factors such as BMI, smoking status, and alcohol use, while provider data included names, registration numbers, contact emails, phone numbers, office locations, and WhatsApp details. Because the patient information was pseudonymized, the company said individuals cannot be identified without additional data, and no immediate risk to patients was believed to exist; meanwhile, affected providers are being notified and advised to watch for phishing or social engineering attempts. Certain systems were taken offline as a precaution, but core business operations continued unaffected, and the forensic investigation remains ongoing with the total number of impacted individuals still undetermined.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Novo Nordisk, the Danish pharmaceutical company known for Ozempic and Wegovy, disclosed on June 11 2026 that a threat actor had gained access to a limited number of its internal systems and exfiltrated certain personal data stored there. The breach notice did not specify when the intrusion was detected or how long the attackers had maintained access, and the responsible threat group has not publicly claimed responsibility for the incident. The company stated that the forensic investigation and data review are ongoing and that it has not yet determined the total number of individuals affected by the compromise.
The exposed information primarily concerned patients who had participated in Novo Nordisk’s clinical trials; however, the data was deidentified and pseudonymized, meaning patient names were not included. Instead, the compromised patient data consisted of random alphanumeric ID numbers used to identify trial participants, along with sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as BMI, smoking status, and alcohol usage. Because the data could not be linked to individual identities without additional information from another source, Novo Nordisk indicated that patients do not face any immediate risk and advised them to remain vigilant and to contact the company if they notice any suspicious activity that they believe may be related to the breach.
In addition to patient data, certain healthcare providers were affected, and the company is currently notifying them of the compromise. The information stolen from providers varies but may include the provider’s company name, registration number, contact email address, phone number, office location, and WhatsApp details. Since contact information was exposed, healthcare providers are potentially at increased risk of phishing or social engineering attacks and have been advised to remain vigilant. Upon detection of the attack, Novo Nordisk took certain affected systems offline as a precautionary measure while the incident was investigated and is working to restore those systems safely and securely. The company emphasized that the cyberattack has had no impact on its core business operations, which continue to operate normally.