Novo Nordisk Breach Involved ‘Copying’ of Patient, Healthcare Provider Info
A hack on Danish pharmaceutical manufacturer Novo Nordisk has affected some patient clinical trial data and healthcare provider information, according to the maker of popular weight loss and diabetes treatment drugs, including Wegovy and Ozempic.
See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?
Novo Nordisk said Thursday it “recently” discovered an IT security incident involving unauthorized access “to a limited number of internal IT systems.” The breach affected personal data stored on the company’s systems, including some information related to patients participating in various clinical trials.
Some of the affected “non-public” data was copied externally without authorization, the company said.
The pharmaceutical manufacturer didn’t identify the nature of the clinical trials or disclose the number of affected people, but said the compromised information didn’t include patient names or “other direct identifiers.”
Categories of potentially affected patient data included “random alphanumeric string” patient IDs, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors, such as smoking status, alcohol use and body mass index.
“Based on the nature of the exposed data as pseudonymized, knowledge of patient identity would require access to further information, which was not part of the incident. We therefore do not consider the incident to bear any immediate risks for our patients,” the company said.
“We do, however, recommend that our patients remain vigilant and report to us if anything unusual is encountered that is believed could be linked to the incident.”
Novo Nordisk is also notifying an undisclosed number of healthcare providers that their information was potentially affected in the incident. That includes name and registration number, email, phone number, WhatsApp details, and office location. “The exposure of your data does not necessarily include all categories,” the company said.
Novo Nordisk is working with forensics experts in investigating into the incident. The company said it temporarily took offline certain internal systems as a precaution and is working to bring its affected IT systems back online.
“Our core business operations are not impacted and remain up and running,” the company said.
Novo Nordisk did not immediately respond to ISMG’s request for additional details about the incident.
The biggest concern in this incident so far “is the long-tail value of clinical trial data,” said Ross Filipek, CISO at IT services firm Corsica Technologies. “Even though the data was allegedly not tied to patient names, health-related data comes with different risks than ordinary consumer information. It can become more sensitive when it’s combined with other stolen data from outside sources.”
Another worry in such incident is broken trust, Filipek said. “Clinical trials rely on confidence from patients, providers, regulators and research partners. Even a limited breach can create hesitation if people worry their health information was exposed or mishandled. If attackers had enough dwell time to alter data, not just copy it, the company would also need to look closely at data integrity.”
Filipek said the Novo Nordisk incident also underscores that attacks on pharmaceutical companies also threaten critical research and related data beyond patient records. “If any intellectual property was exposed, the impact could move beyond privacy and into competitive harm. If active trial systems were affected, some work may need to pause while investigators confirm what was accessed and whether anything was altered,” he said.