By Allison Proffitt 

June 23, 2026 | In mid-June Novo Nordisk announced, “an IT security incident involving unauthorized access to a limited number of internal IT systems” that exposed personal information for clinical trial participants.  

“This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc,” the company wrote on a page dedicated to the breach. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials.”  

Novo Nordisk listed the exposed data categories as Patient ID (random alphanumeric string) and information on trial participation; sex; year of birth; biomarkers; health/immunogenicity data; and lifestyle factors including smoking, alcohol use, and BMI.  

“As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment,” the pharma said in their statement. “We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time.” 

Claims and Claimants 

Novo Nordisk has not publicly commented on the incident since June 11, but DataBreaches.net has shared details since then reporting that there were two, likely separate, attacks on Novo Nordisk in early June and in both cases, Novo Nordisk declined to pay a data ransom.  

The hack-and-leak group known as FulcrumSec contacted DataBreaches on June 13 to claim responsibility for the first incident and DataBreaches reported that according to FulcrumSec, patient data came from the SELECT trial, FLOW trial, and ONWARDS trial. The hackers demanded $25 million and were not paid.  

DataBreaches also reported evidence of a second group claiming a distinct Novo Nordisk attack, this group demanding $50 million. The second group, TheUSERS007, told DataBreaches that they focused on acquiring AI assets that define Novo Nordisk’s future: 16.7 GB trained weights; full source code; SSH host keys (RSA, ED25519, ECDSA); 113 training configurations; 500MB proprietary dataset; internal IPs and hostnames; and important files.  

“Those specifics remain attacker-asserted and have not been confirmed by Novo Nordisk,” Matt Kimpel, CISO of cybersecurity firm Magna5, told Clinical Research News, “but they describe a shift the cybersecurity community is already seeing: threat actors moving past quick ransom payouts and pursuing research and development assets that have a long shelf life and multiple buyers. Stolen payment data can be canceled in a day. Scientific research and trial data cannot.”  

Neither Kimpel nor Magna5 is associated with Novo Nordisk, but Kimpel has been following the story closely. Magna5’s core cybersecurity work focuses on clinical laboratories, medical research facilities, biotech/biopharma, clinics, physician practices, diagnostic services, emergency medical services, etc. 

Kimpel went on to highlight the risks to research data integrity in such a breach. “In a clinical research environment, confidentiality matters, but the question of whether an intruder could have altered or manipulated trial data is equally important,” he said. “A breach that quietly affects research data is, in some ways, more damaging than one that simply exposes it.” 

Response and Recovery 

The clinical research pipeline is complex, with many groups handling sensitive data: trial sponsors, sites, contract research organizations, labs, imaging vendors, and eClinical platforms. “Attackers deliberately look for the weakest link in that chain,” Kimpel warned. That means cybersecurity is not just an IT function.  

“The Novo Nordisk incident illustrates how broad that exposure is,” he said. “The confirmed data loss [the FulcrumSec breach] was not limited to patient information. It also included contact and registration details for healthcare professionals, which Novo Nordisk itself has flagged as a phishing and impersonation risk. The attack surface in this sector is not just the trial database. It is every investigator, study coordinator, healthcare professional, vendor, and partner whose identity lives in the sponsor’s environment. When that data is taken, the downstream risk lands on the people who run the trials, not just on the sponsor that suffered the breach.” 

While prevention is ideal and must be pursued, Kimpel sees the bigger gap for most organizations in attack detection and response.  

“Leaders should assume an attacker may eventually get in and ask honest questions about what happens next: How quickly would we know? Could we contain it? Would we know what data was accessed or altered? Would our partners and healthcare professionals be alerted in time to defend themselves? The strongest programs are not the ones with the longest tool list. They are the ones that have invested in hardening, identity, detection, recovery, and a tested response plan, and that revisit those capabilities as the threat landscape changes,” he said.