Novo Nordisk Breach Exposes Clinical Trial and Healthcare Professional Data

Novo Nordisk has disclosed a security incident in which attackers copied personal data from internal systems, including pseudonymised clinical trial data covering biomarkers and lifestyle factors, and directly identifying information about healthcare professionals - a breach that illustrates the layered sensitivity of health-sector data.

By Acompli Editorial

On 11 June 2026, Novo Nordisk disclosed an IT security incident involving unauthorised access to a limited number of its internal systems, during which attackers copied certain non-public data, including personal data. The breach affected two distinct groups, with markedly different exposure profiles, and underscores how health-sector organisations hold personal data of varying sensitivity across interconnected systems.

For clinical trial participants, the exposed information was pseudonymised: it included randomly generated patient ID numbers, details of trial participation, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as smoking status, alcohol use, and body mass index. Crucially, no names or direct identifiers were exposed, and Novo Nordisk has stated that re-identification would require access to additional information that was not part of the incident. For healthcare professionals, by contrast, the exposed data was directly identifying - including names, registration numbers, email addresses, phone numbers, WhatsApp details, and office locations.

The distinction matters for how the breach is assessed under the GDPR. Pseudonymised data remains personal data, and a breach involving it still requires assessment against the Article 33 notification threshold - but the residual risk to individuals turns on how readily re-identification could occur. Where, as here, the keys to re-identification are held separately and were not compromised, the risk profile for those data subjects is lower than for the healthcare professionals whose contact details were taken directly. This is the same pseudonymisation-as-safeguard principle that regulators have emphasised in recent enforcement: pseudonymisation reduces risk and is a recognised security measure, but it does not remove data from the scope of the GDPR.

Novo Nordisk took several internal systems offline as a containment measure, engaged external cybersecurity experts, and notified the relevant authorities. The company has said its core business operations were not affected. The incident sits within a broader pattern of attacks on pharmaceutical and healthcare organisations, which hold large volumes of sensitive data and are attractive targets for extortion.

Acompli perspective: The Novo Nordisk incident is a clear illustration of why data classification matters before a breach occurs. The organisation could articulate precisely which data was pseudonymised, what would be required to re-identify it, and where the directly identifying records sat - and that clarity shapes both the notification assessment and the communication to those affected. Organisations handling health or other sensitive data should ensure their data mapping distinguishes between pseudonymised and directly identifying datasets, that their assessment processes account for the specific risks of each, and that their records of processing document the safeguards relied upon - so that, under the pressure of an incident, the risk assessment can be made quickly and defended convincingly.

Sources

More from the newsroom