Novo Nordisk discloses data breach impacting clinical trial participants

Danish pharmaceutical company Novo Nordisk disclosed an IT security incident involving unauthorized access to personal data stored on its internal IT systems pertaining to clinical trial participants. The company, which produces the popular GLP-1 drug Ozempic, said its operations were not impacted by the incident.

Upon discovery, Novo Nordisk said it immediately launched an investigation and engaged external cybersecurity experts. Internal IT systems were temporarily taken offline to protect the company's environment and will be brought back online in a controlled manner.

"While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, were copied externally without authorization," the company said in a press release. "We are informing the impacted parties as appropriate."

The categories of impacted information included patient IDs, sex, year of birth, biomarkers, health and immunogenicity data and lifestyle factors.

In a later update, Novo Nordisk clarified that the affected information is not "directly linked to any patients by name or other direct identifiers."

"We therefore do not consider the incident to enable any third party to identify participants in our clinical trials," the company stated.

Novo Nordisk said there was no need for patients to take any specific action as a result of the incident.

"We do, however, recommend that our patients remain vigilant and report to us if anything unusual is encountered that is believed could be linked to the incident," the company said.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.