Danish pharmaceutical firm Novo Nordisk announced it faced a data breach related to clinical trials, releasing notification letters to both patients and healthcare providers (HCPs) involved. According to the statement, a threat actor gained access to a limited number of the company’s internal IT systems, which included access to certain personal data. 

What Data Is Compromised?

Patient risk is somewhat reduced, as the exfiltrated patient data was deidentified. 

“Pseudonymized clinical trial data can create a false sense of comfort, but it could have been worse,” comments John Bruggeman, vCISO at CBTS. “The risk is that with life sciences, the context around the data matters. Trial participation city or state, treatment area, demographics that were not anonymized, and research attributes can become sensitive when combined with other sources. Attackers do not need a complete patient profile to create harm. Thankfully though patient PII was not disclosed, so in today’s environment I’ll take that as a win.”

However, this doesn’t mean the incident is absent of risk. 

Ross Filipek, CISO at Corsica Technologies, explains, “A breach involving clinical trial data creates a different kind of risk than a typical consumer data incident. Novo Nordisk says the exposed information was not tied directly to names, which is good. It also said no usable identifiers were obtained, which lowers the immediate risk. However, health data can still carry long-term value when it is combined with other stolen information. Even when an ePHI breach does not include patient names, attackers may try to reverse-engineer identities by pairing details like birth date, postal code, or gender with outside data sources.

“For patients, the immediate danger may be limited. The bigger concern is what happens later. Attackers can use partial medical details to build convincing phishing messages, impersonate trusted organizations, or pressure people with information that feels deeply personal. That is especially concerning in healthcare, where trust is already fragile.

“There is also a downstream business risk. Clinical trials depend on confidence from patients, providers, regulators, and research partners. Even a limited breach can create hesitation. If attackers had dwell time inside the environment, the concern shifts from data exposure to data integrity. A pharmaceutical or healthcare organization may need to determine whether research data was altered, whether regulatory obligations were triggered, and whether any intellectual property was exposed. Active trials could also face delays while the incident is investigated. Healthcare organizations need strong visibility into sensitive data, tighter access controls, and active monitoring before a contained incident becomes a broader trust problem.”

Affected patient data includes: 

• Patient IDs (consisting of a random alphanumeric string)
• Trial participation information
• Sex 
• Year of birth
• Lifestyle factors (such as BMI, smoking, etc.) 
• Biomarkers 
• Health/immunogenicity data

Affected HCP data includes: 

• Name and registration number 
• Email address
• Phone number 
• WhatsApp information 
• Office location

While patients may be at a slightly lower risk, especially when compared to other healthcare breaches, experts warn the HCPs could be at risk of targeted attacks. 

Bruggeman states, “Attackers can use information stolen from Novo Nordisk to target the doctors helping to bring valuable medical research to drug makers. Now attackers can make a message feel credible, even professional, given the contact details that were compromised. Imagine a doctor involved getting a message from an attacker about a trial update that is in fact fake? Or request documents, or payments, or a medical portal password reset when the attacker has enough context.”

Was This Breach Corporate Espionage? 

“There are markers to this case which suggest the possibility of corporate espionage,” asserts Joseph Perry, Cybersecurity Researcher and Advanced Services Lead at Arcova. “Novo Nordisk’s intellectual property are fabulously valuable, the accessed patient information is related to ongoing clinical trials, and based on the patient letter and hcp letter it appears the threat actor’s purpose was data exfiltration (as opposed to, e.g., ransomware). Overall, based on available information, the incursion appears to be relatively limited and, at this point, contained. However, given that the discovery and containment appear to have happened after the external copying of data, there’s an open question as to whether this was contained before or after complete mission success. 

“In general, this flows with a broadening trend in cybercrime. For years, we’ve discussed the commodification of certain attacker flows (e.g., the rise of Initial Access Brokers) and the move to platforms and monolithic providers. What that all boils down to, what we’re seeing, is the ongoing professionalization of cybercrime. We don’t have any evidence as to who the attacker was, nor do we have proof of their motivation. But if the hints we’re seeing in public disclosure pan out, and this does turn out to be an act of corporate espionage, that would be yet another example of cybercrime’s mainstreaming. The calculation is simple enough; if the risk of discovery is small relative to the potential profit, at least some unscrupulous folks will attempt to leverage cybercrime as a business tactic.”