Novo Nordisk says some trial patient data copied in cyber incident

Novo Nordisk said an unauthorized party copied a limited amount of information from some of its clinical-trial participants after a June 11 security incident involving internal IT systems. The drugmaker said the exposed material was not directly linked to patients by name or other direct identifiers, but the episode still strikes at the core of a company that relies on patient trust, regulatory credibility and strict handling of highly sensitive research data.

The company said the potentially affected records could include patient ID, trial participation, sex, year of birth, biomarkers, health or immunogenicity data, and lifestyle factors such as smoking, alcohol use and body mass index. Novo Nordisk said the information was pseudonymized and that identifying a participant would require access to additional data that was not part of the incident. In its patient notice, updated June 11 at 17.30 CEST, the company said patients do not need to take any specific action, but should remain vigilant and report anything unusual.

Novo Nordisk said it launched a probe with external cybersecurity experts and notified the relevant authorities. It also temporarily took certain internal IT systems offline while it worked to restore them in a controlled and safe manner. Even so, the company said core business operations were not impacted and remained up and running, signaling an effort to contain the damage without slowing manufacturing, research or other essential functions.

For Novo Nordisk, founded in 1923 and headquartered in Bagsværd, Denmark, the stakes go beyond the immediate technical breach. The company is one of the world’s most prominent drugmakers, with high-profile diabetes and weight-loss products that have made it a household name and a prized target for criminals. A breach involving clinical-trial data can unsettle participants who agreed to share intimate health information under a promise of careful stewardship, and it can raise tougher questions for sponsors about whether de-identification is enough when datasets include biometrics, health markers and lifestyle details.

The timing also matters. The European Medicines Agency says the Clinical Trials Information System went live on January 31, 2022, giving the public access to information on EU and EEA clinical trials, while the Clinical Trials Regulation aims to combine transparency with participant safety. At the same time, the European Data Protection Board adopted a common breach-notification template on June 10, 2026, underscoring the pressure on companies to disclose incidents quickly and consistently. For a company whose business depends on confidence, the reputational test may linger well after the systems are back online.