Danish pharmaceutical firm Novo Nordisk, the world’s largest producer of insulin, and maker of GLP-1 medications Wegovy and Ozempic, has disclosed a data breach. The following is from its press release of June 11, 2026:
Novo Nordisk A/S has identified an IT security incident involving unauthorised access to a limited number of internal IT systems. Upon learning of the incident, we launched an investigation with the assistance of external cybersecurity experts, and we are in contact with the relevant authorities.
As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment. We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time.
Our core business operations are not impacted and remain up and running.
While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, were copied externally without authorisation. We are informing the impacted parties as appropriate.
Protecting the security and integrity of our systems and delivering reliable products and support to patients remain our highest priorities.
For more information about this incident, including privacy notifications, go to novonordisk.com.
Additional information on its website adds details about the data accessed:
The incident affected a limited amount of information related to patients participating in some of our clinical trials. This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials.
This communication serves as information only and there is no need for our patients to take any specific action as a result of the incident.
What data was involved
The involved categories of personal data about affected patients include the following:
- Patient ID (random alphanumeric string) and information on trial participation
- Sex
- Year of birth
- Biomarkers
- Health/immunogenicity data
- lifestyle factors, e.g. smoking, alcohol use, BMI
The exposure of your data does not necessarily include all categories listed above
What this means for our patients
Based on the nature of the exposed data as pseudonymized, knowledge of patient identity would require access to further information, which was not part of the incident. We therefore do not consider the incident to bear any immediate risks for our patients.
We do, however, recommend that our patients remain vigilant and report to us if anything unusual is encountered that is believed could be linked to the incident.
What we are doing
Following the incident, we launched an investigation with the assistance of cybersecurity experts and have taken steps to address the situation. As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment. We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time.
Our core business operations are not impacted and remain up and running.
Protecting the security and integrity of our systems, including personal data of our employees, customers, patients and stakeholders, remain our highest priorities.
Any questions can be directed to privacy@novonordisk.com.
Downloads
Download the letter for patients regarding the Novo Nordisk IT incident
Download the letter for HCPs regarding the Novo Nordisk IT incident
