Novo Nordisk Data Breach Exposes Patient and Healthcare Professional Data

Novo Nordisk, a Danish multinational pharmaceutical company and one of the world's leading makers of diabetes and obesity medicines including Ozempic and Wegovy, has disclosed an IT security incident involving unauthorized access to some of its internal systems.

Novo Nordisk identified an IT security incident involving unauthorized access to a limited number of internal IT systems. During this unauthorized access, certain non-public data, including personal data, were copied and removed from the company's systems without authorization. The investigation, which is being conducted with the assistance of external cybersecurity experts, remains ongoing.

The breach affected two different groups of people, and the types of data exposed were different for each group.

For patients enrolled in Novo Nordisk's clinical trials, the exposed information was pseudonymized. The categories of exposed data included patient ID numbers (random alphanumeric strings), information about trial participation, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as smoking status, alcohol use and body mass index.

For healthcare professionals, the exposed data was more directly identifying. The categories of exposed data included names, registration numbers, email addresses, phone numbers, WhatsApp details and office locations. The company noted that the potential consequences of this exposure include targeted phishing attempts through emails, phone calls and WhatsApp messages, as well as fraudulent communications impersonating colleagues.

The company posted a notice on its website dated June 11, 2026, announcing the incident. Novo Nordisk has not publicly disclosed the total number of individuals affected by the breach.

Novo Nordisk's response to the breach

Novo Nordisk is notifying affected individuals through separate information letters tailored to each group. The company recommended that patients remain vigilant and report anything unusual that could be linked to the incident.

For healthcare professionals, the company similarly stated that no specific action is required but recommended remaining alert for unexpected messages or calls. The company urged healthcare professionals to report any suspicious activity.

Novo Nordisk did not announce any credit monitoring or identity protection services as part of its response.

Affected individuals can direct questions to privacy@novonordisk.com. People in different countries can also reach their local Novo Nordisk office through the company's local contact directory or its general contact page.