UPDATE: Novo Nordisk clarifies stolen-data scope — non-pseudonymised HCP data in play

UPDATE (originally covered 2026-06-13): Novo Nordisk published an incident update on 2026-06-15 clarifying the scope of the theft: clinical-trial data taken was pseudonymised (limited direct re-identification risk for trial subjects) (Novo Nordisk, 2026-06-15), but separately stolen healthcare-professional (HCP) data was non-pseudonymised — names, registration numbers and contact details (Security Affairs, 2026-06-15).

The non-pseudonymised HCP records bring the incident within GDPR Article 33 breach-notification obligations and raise targeted-phishing risk against named medical professionals (Security Affairs, 2026-06-15). Healthcare and pharma defenders should expect HCP-impersonation and credential-phishing lures referencing the breach.