Summary
- Novo Nordisk says unauthorised access affected a limited number of internal IT systems.
- The company says certain non-public data, including personal data, was copied externally without authorisation.
- Pseudonymised clinical trial participant data was affected, although Novo Nordisk says directly identifying information was not exposed.
Novo Nordisk has disclosed a cyber incident involving unauthorised access to a limited number of internal IT systems and the copying of certain non-public data, including personal data.
The Danish pharmaceutical group said it had launched an investigation with external cybersecurity experts and was in contact with relevant authorities. Some internal IT systems have been temporarily taken offline as part of the response, although the company said core business operations remain up and running.
Novo Nordisk’s incident update gives more detail on affected data than many early corporate cyber disclosures. The company said the incident affected a limited amount of information related to patients participating in some of its clinical trials.
The exposed clinical trial data was pseudonymised and not directly linked to patients by name or other direct identifiers, according to the company. Novo Nordisk said the affected categories may include patient IDs, trial participation information, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as smoking, alcohol use, and BMI.
Patient identity would require access to underlying identifying information, which Novo Nordisk said was not exposed. The company said it does not consider the incident to enable a third party to identify clinical trial participants, and said patients do not need to take specific action as a result. It still advised vigilance and provided a dedicated privacy contact for questions.
Several details remain unconfirmed. Novo Nordisk has not named an attacker, disclosed the initial access route, quantified the number of affected individuals, or said whether the incident touched manufacturing, research, supplier, or commercial systems. Its statement also does not identify the authorities contacted, which may include data protection or sector bodies depending on the jurisdictions and data involved.
The incident carries significance because of the type of organisation and data involved. Novo Nordisk is one of Europe’s most important pharmaceutical companies, and cyber incidents affecting life sciences groups sit at the intersection of personal data, intellectual property, clinical research integrity, patient trust, and operational continuity.
Clinical trial data requires careful handling even where pseudonymisation reduces direct identification risk. Datasets containing health characteristics, biomarkers, treatment information, trial participation details, and demographic variables can remain sensitive, especially if combined with other information. Regulators and research partners will expect a clear understanding of what was accessed, how it was protected, and whether re-identification risk remains remote in practice.
Operational continuity is another part of the disclosure. Novo Nordisk said some internal systems were taken offline and would be brought back in a controlled and safe manner. The company’s statement that core operations continue is material, but investors, regulators, trial partners, and health authorities will watch for any later indication of disruption to research, supply, or regulated processes.
European life sciences businesses hold large volumes of sensitive information while operating across research platforms, clinical systems, manufacturing environments, suppliers, and regulated reporting channels. A contained IT incident can still create wider obligations if it touches trial evidence, health data, or systems linked to product development and supply.
Novo Nordisk’s next public updates will be judged on precision: how access was obtained, what data was copied, which jurisdictions are affected, what systems were taken offline, and whether any supplier or shared platform was involved.
