Home · Live brief · Daily brief 2026-06-13
Novo Nordisk discloses theft of clinical-trial and healthcare-professional data
Part of run 2026-06-13-40b26572 (intel · Claude Opus 4.8)
Danish pharmaceutical maker Novo Nordisk disclosed on 11 June that an external party gained unauthorised access to a limited number of internal IT systems and copied non-public data, including clinical-trial participant records and healthcare-professional (HCP) contact information (Novo Nordisk, 2026-06-11). The clinical-trial data is described as pseudonymised — random alphanumeric participant IDs plus sex, year of birth, biomarkers, immunogenicity and health data, and lifestyle factors — and not directly linked to names. The HCP data, however, is directly identifying: names, registration numbers, email addresses, phone numbers, WhatsApp contact details and office locations (BleepingComputer, 2026-06-12). The initial-access vector is not disclosed and no threat actor has been named; affected systems were taken offline and authorities engaged. As an EU-registered controller processing EU/EEA trial data, the breach engages GDPR Article 33 and Danish Datatilsynet notification, and Swiss equivalents under the nDSG for domestic trials.
Update chain
- updated by Novo Nordisk clarifies stolen-data scope — non-pseudonymised HCP data in play 2026-06-16
- updated by Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale 2026-06-17