Novo Nordisk Breach Exposes Clinical Trial and Healthcare Professional Data
Novo Nordisk disclosed a cyberattack in which attackers accessed a limited number of internal IT systems and copied non-public data tied to some clinical trial participants and healthcare professionals. The stolen clinical trial information included pseudonymized patient identifiers rather than direct identifiers such as names, but it still covered sensitive fields including trial participation details, sex or gender, year of birth, biomarkers, health or immunogenicity data, and lifestyle factors such as smoking status, alcohol use, and BMI.
The company said healthcare professional contact and registration details were also exposed, raising the risk of targeted phishing and impersonation attempts over email, phone, and WhatsApp. Novo Nordisk took affected internal systems offline as a precaution, brought in external cybersecurity experts to investigate, and said core business operations were not impacted, while the total number of affected individuals and the full scope of the breach remain under investigation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Novo Nordisk notifies Danish regulators of breach
Novo Nordisk said it notified Danish regulators after discovering the intrusion into its internal IT infrastructure. The company also said it engaged external cybersecurity experts to investigate the incident.
FulcrumSec allegedly leaks Novo Nordisk data after extortion demand
A report said threat actor FulcrumSec leaked Novo Nordisk data after an alleged $2.5 million demand went unpaid. This represented a post-disclosure escalation tied to the previously disclosed cybersecurity incident.
Second actor reportedly claims Novo Nordisk hack and $50 million demand
DataBreaches reportedly received Signal messages from another person claiming they had also hacked Novo Nordisk and demanded $50 million. This introduced a separate extortion claim beyond FulcrumSec's previously reported $25 million demand.
FulcrumSec claims Novo Nordisk hack and describes alleged March intrusion
SecurityWeek reported that FulcrumSec claimed responsibility for the Novo Nordisk intrusion, alleging it first gained access in March via a GitHub access token and then used cloned repositories to locate additional credentials. The group claimed it stole about 1.3 TB of data, including intellectual property, and said it demanded a $25 million ransom before threatening to leak the data.
Novo Nordisk takes systems offline and starts incident response
As part of its response to the breach, Novo Nordisk took some internal systems offline as a precaution and engaged external cybersecurity experts to investigate. The company stated that core business operations were not affected and that the full scope of the incident was still under investigation.
Novo Nordisk discloses theft of clinical trial data
Novo Nordisk disclosed that attackers accessed a limited number of internal IT systems and copied non-public data related to some clinical trial participants and healthcare professionals. The company said the participant data was pseudonymized and did not include direct identifiers, but included sensitive health-related and trial information, while healthcare professional data created phishing and impersonation risks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
teiss - News - FulcrumSec hacker group leaked over 250 GB of data stolen from pharma giant Novo Nordisk
teiss.co.uk
Open sourceteiss - News - Cyber attack on pharma giant Novo Nordisk exposed clinical trial data
teiss.co.uk
Open sourceNovo Nordisk Breach Exposes Software Development Pipeline Risk
darkreading.com
Open sourceNovo Nordisk Data Breach - A Two-Layer Pharma Extortion Story - TheCyberThrone
thecyberthrone.in
Open sourceOzempic Drug Maker Loses Clinical Trial Data in Hack
bankinfosecurity.com
Open sourcePharma giant Novo Nordisk discloses breach of clinical trials data
bleepingcomputer.com
Open sourceNovo Nordisk says hackers stole clinical trial data
theregister.com
Open sourceIncident update
novonordisk.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Hackers Claim InfoDesk Breach Exposed Employee Data at Pharma and Financial Firms
A threat actor has claimed to have breached enterprise intelligence software provider **InfoDesk** and is offering the allegedly stolen data for sale on a dark web forum. Reporting indicates the sample data included five records from each of 18 organizations, along with InfoDesk records, and the actor claimed to hold as many as 1,000 records in total. The exposed information reportedly consists primarily of employee full names and corporate email addresses tied to major organizations, including firms in the pharmaceutical, healthcare, financial, consulting, and nonprofit sectors; Cybernews specifically said the data involved employees at companies such as **Moderna**, **Johnson & Johnson**, and **Bayer**. Researchers said the immediate danger is not large-scale identity theft but highly targeted phishing and social-engineering attacks. Because the records appear linked to a known enterprise vendor, attackers could use the contact details to craft convincing lures for credential theft, malware delivery, or follow-on business email compromise. The alleged incident adds to broader concerns over third-party supplier exposure, where compromises at service providers can create downstream risk for multiple corporate customers at once.
May 25, 2026
Tris Pharma Data Breach Involving Unauthorized Network Access
Tris Pharma experienced a data breach after detecting unauthorized activity on its network between September 24 and September 25, 2025. The breach, discovered on September 24, involved an unknown threat actor accessing specific systems, potentially exposing personal information such as names and other sensitive identifiers. The company has stated there is no current evidence of fraud or identity theft, but the investigation is ongoing, and law enforcement and regulators have been notified to mitigate further risks. The exposure of personal identifiers raises concerns about possible identity theft or targeted phishing attacks, as similar incidents in the pharmaceutical sector have led to such outcomes. Tris Pharma has not confirmed any misuse of the compromised data but is taking steps to address the incident and protect affected individuals. Customers and individuals associated with Tris Pharma are advised to remain vigilant for potential social engineering scams or financial fraud attempts resulting from this breach.
Mar 21, 2026
Synnovis Ransomware Breach Exposed Data of 32,927 Bedfordshire NHS Patients
Bedfordshire Hospitals NHS Foundation Trust said data relating to **32,927 patients** was identified in material stolen during the **Synnovis ransomware attack**, confirming that the incident extended beyond service disruption into a significant patient data breach. The compromised information was linked to pathology-related files dating from **2011 to 2020** and may include personal details and diagnostic test results. The trust issued a public notification tied to the Synnovis cyber incident and began informing affected individuals after determining that their records were present in data later published on dark web sites. The organizations involved said notification was delayed because the stolen material was fragmented across unstructured administrative pathology files, requiring lengthy forensic analysis to attribute ownership and assess impact. Security experts said the case highlights the long-tail risk of third-party attacks in NHS supply chains, warning that even partial or disjointed healthcare records can be combined by threat actors for phishing, fraud, and other identity-related abuse.
Jun 15, 2026