What Happened in the Novo Nordisk Data Breach?
Novo Nordisk, the Danish pharmaceutical giant behind Ozempic and Wegovy, has disclosed a data breach involving unauthorized access to some of its internal IT systems. The company identified an IT security incident in which an intruder gained access to a limited number of systems. As a result, certain non-public data, including personal data, was copied and removed without authorization.
The Novo Nordisk data breach affected two distinct groups of people connected to the company. Because the intrusion touched systems tied to clinical research and to professional communications, the exposed information varied depending on which group a person belonged to. However, the source material does not specify the exact method the attacker used to gain entry.
Novo Nordisk is working with external cybersecurity experts to investigate the incident. This investigation remains ongoing, and the company has not yet released a full account of how the breach occurred or when the unauthorized access first began. The company announced the incident through a notice posted on its website dated June 11, 2026.
Who was affected?
The breach affected two separate populations connected to Novo Nordisk’s operations. The first group includes patients enrolled in the company’s clinical trials. The second group includes healthcare professionals who interact with Novo Nordisk in a professional capacity, such as prescribers and researchers.
Novo Nordisk has not publicly disclosed the total number of individuals affected by this breach. As a result, it remains unclear how many patients and how many healthcare professionals were involved. In addition, the geographic scope of the affected population has not been specified, though Novo Nordisk operates globally and serves patients and professionals in many countries, including the United States.
Because clinical trial participants are included, this breach touches a population that trusted the company with sensitive health details for research purposes. Meanwhile, healthcare professionals affected by the incident may face a different kind of risk tied to their professional identity rather than their personal health.
What Information Was Potentially Exposed?
The categories of data exposed differ significantly between the two affected groups. For clinical trial patients, the exposed data was pseudonymized rather than directly identifying. For healthcare professionals, however, the exposed information was more directly tied to their real identities.
- Patient ID numbers (random alphanumeric strings)
- Clinical trial participation information
- Sex and year of birth
- Biomarkers and health data
- Immunogenicity data
- Lifestyle factors, including smoking status, alcohol use and body mass index
- Names of healthcare professionals
- Professional registration numbers
- Email addresses and phone numbers
- WhatsApp contact details
- Office locations
For patients, the pseudonymized nature of the exposed data reduces some risk. However, health and lifestyle information, even when not directly tied to a name, can still be sensitive. For example, biomarker and immunogenicity data reveal details about a person’s underlying health conditions. If this data were ever combined with other information, it could potentially be used to re-identify individuals.
For healthcare professionals, the risk looks different. Because their names, contact information and office locations were exposed, these individuals face a more direct threat. Fraudsters could use this information to impersonate colleagues, send convincing phishing emails, or place fraudulent phone calls. This means healthcare professionals should treat unexpected communications with heightened caution going forward.
What is the company doing?
Novo Nordisk responded to the breach by launching an investigation with the help of external cybersecurity experts. This investigation is still ongoing, and the company has committed to notifying affected individuals directly. Novo Nordisk is sending separate information letters tailored to each affected group, reflecting the different types of data exposed.
In its notifications, the company advised patients to remain vigilant and report anything unusual connected to the incident. Similarly, Novo Nordisk told healthcare professionals that no specific action is required at this time. However, the company urged this group to stay alert for unexpected messages or calls and to report any suspicious activity they encounter.
Notably, Novo Nordisk has not announced any credit monitoring or identity protection services as part of its response. Affected individuals with questions can contact the company through a dedicated privacy email address or reach out through local Novo Nordisk offices listed in the company’s contact directory.
What Should Affected Individuals Do?
Watch for Phishing and Impersonation Attempts
Because Novo Nordisk specifically warned about phishing risks, affected individuals should treat unexpected emails, phone calls and WhatsApp messages with suspicion. This is especially true for healthcare professionals whose contact details were exposed. Scammers often use stolen contact information to craft convincing messages that appear to come from trusted colleagues or organizations.
Before clicking links or sharing information, verify the sender through a separate, known communication channel. For instance, if you receive a suspicious message claiming to be from Novo Nordisk, contact the company directly using published contact information rather than replying to the message. This simple step can prevent many phishing attempts from succeeding.
Monitor Your Accounts and Credit Reports
Even though this breach did not expose Social Security numbers, affected individuals should still monitor their financial accounts and credit reports regularly. As a result, unusual account activity can be caught early. Consumers can request a free credit report from each major credit bureau annually.
In addition, setting up account alerts through banks and credit card issuers helps detect suspicious transactions quickly. If you notice any unfamiliar activity, report it to your financial institution immediately. Consistent monitoring remains one of the most effective ways to catch identity misuse early.
Understand the Risks Tied to Health Data Exposure
Patients whose clinical trial data was exposed should understand that, while pseudonymized, this information still includes health details. Because biomarker, immunogenicity and lifestyle data were involved, patients may want to stay alert for unusual contact referencing their trial participation. This is particularly important if any message asks for additional personal or medical information.
If you receive any communication that references your involvement in a Novo Nordisk clinical trial, treat it cautiously. Legitimate follow-up from a clinical trial sponsor typically will not ask you to confirm sensitive details over email or by phone. Therefore, verifying the source before responding is a reasonable precaution.
Consider Consulting a Data Breach Attorney
Given the scope of this incident, some affected individuals may want to understand their legal rights and options. A data breach attorney can help evaluate whether you qualify for compensation and explain any deadlines that may apply to your situation. Many attorneys offer a free case evaluation, so there is little downside to asking questions.
Because breach investigations often reveal new details over time, staying informed about updates from Novo Nordisk is also important. If additional information about the scope of the breach becomes available, it could affect your options going forward. Keeping records of any suspicious activity you experience can also support a potential claim later.
