Novo Nordisk breach exposes clinical trial data, urges vigilance

Novo Nordisk says it suffered unauthorized access to clinical trial data tied to Ozempic and Wegovy, but it does not believe the incident poses immediate risks to trial participants. The breach involved information collected for trials—without direct identifie

Last week. Novo Nordisk told trial participants that it had suffered unauthorized access to clinical trial data connected to its diabetes and weight-loss drugs Ozempic and Wegovy. In a statement and in a letter to patients. the Danish pharmaceutical company said the incident doesn’t appear to pose any immediate risks to those taking part in its trials.

The company said the apparent breach involved patient information collected for clinical trials. That data included age, sex, health data and lifestyle factors. It also contained randomized patient IDs. Novo Nordisk said direct identifiers—such as patients’ names—were not affected.

“We therefore do not consider the incident to enable any third party to identify participants in our clinical trials. ” Novo Nordisk said in its announcement. The company added that. upon learning of the incident. it launched an investigation with the assistance of external cybersecurity experts and is in contact with the relevant authorities.

For trial participants, the message lands with a particular kind of relief—tempered by the knowledge that what was exposed still includes deeply personal details. Novo Nordisk urged patients to remain vigilant and report any unusual activity that could be related to their personal information.

The incident has also sparked questions about what a breach like this can mean in the real world. even when names aren’t exposed. Nathan Wenzler. a field chief information security officer at the cybersecurity company Optiv Security. said a breach of this nature is “absolutely a cause for concern.” He pointed to the sheer volume of cyberattacks. arguing that people shouldn’t judge impact by looking at a single incident in isolation.

Wenzler said criminals and nation-state actors have had years of breaches to build large databases of personal information. With additional data coming from new breaches. he said. attackers can correlate information to build a more detailed profile of a target. He warned that the more detail attackers can gather, the more sophisticated scams—such as phishing attempts—could become.

One hacker group, FulcrumSec, told the cybersecurity blog DataBreaches that it was behind the attack, but that claim has not been confirmed. Novo Nordisk has not said how many people’s data may be affected or how exactly the breach occurred.

Those unknowns weigh on an already large patient footprint. Novo Nordisk’s trials for Ozempic and Wegovy alone have included tens of thousands of participants, and the company manufactures dozens of medications for diabetes, obesity, hormone replacement therapy, and more.

For patients concerned about what might come next. Wenzler’s advice was pointed: stay alert to scam e-mails and phone calls. He recommended that patients do not click on any provided links. respond to e-mails or texts. or engage with phone calls connected to any suspected scam. If a message looks legitimate. he said patients should go directly to the organization’s website or call the organization directly—without interacting with links or phone numbers included in the scam message.

Novo Nordisk did not immediately respond to a request for comment.

The company’s internal response. as described in its communications. is now an investigation—carried out with external cybersecurity experts. with authorities involved. For trial participants. the central question may be whether “no immediate risks” remains true as investigators clarify what was accessed. how the breach happened. and what attackers could do with the information if they combine it with other data already in circulation.

Novo Nordisk Ozempic Wegovy data breach clinical trial data cybersecurity patient IDs FulcrumSec Optiv Security phishing trial participants