Last week Danish pharmaceutical company Novo Nordisk, the maker of the popular diabetes and weight-loss drugs Ozempic and Wegovy, revealed it had suffered a data breach involving “unauthorized access” to clinical trial data.
The company said in a statement and letter to patients that the incident doesn’t appear to pose “any immediate risks” to trial participants. The apparent hack exposed information about patients that was collected for clinical trials, and this information included age, sex, health data and lifestyle factors, as well as a randomized patient IDs. “Direct identifiers,” such as patients’ names, were not affected, the company said.
“We therefore do not consider the incident to enable any third party to identify participants in our clinical trials,” the company stated in its announcement. “Upon learning of the incident, we launched an investigation with the assistance of external cybersecurity experts, and we are in contact with the relevant authorities.”
On supporting science journalism
If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.
Still, Novo Nordisk urged patients to “remain vigilant” and report any unusual activity that could be related to their personal information. One hacker group, FulcrumSec, told cybersecurity blog DataBreaches that it was behind the attack, but that has not been confirmed.
“A data breach of this nature is absolutely a cause for concern,” says Nathan Wenzler, a field chief information security officer at the cybersecurity company Optiv Security. “In this day and age, after hundreds, if not thousands, of data breaches, big and small, no one should be looking at a single data breach in isolation when determining its impact.”
In other words, it’s not just the data that were accessed in this breach that may pose a danger to patients, Wenzler says. “Criminal and nation-state actors have had years of breaches to build massive databases of personal information and can correlate additional data from new breaches to build a more detailed profile of a target,” he says. And with greater detail about those possible targets, scams such as phishing attempts could get even more sophisticated.
It’s unclear how many people’s data may be affected or how, exactly, the breach occurred. Novo Nordisk’s trials for Ozempic and Wegovy alone have included tens of thousands of participants, and the company manufactures dozens of medications for diabetes, obesity, hormone replacement therapy, and more.
For patients who may be affected, Wenzler recommends staying alert to scam e-mails and phone calls. “It’s critical that patients do not click on any provided links, respond to these e-mails, text messages, or phone calls or otherwise engage with the scam attempt,” he says. “If a patient receives a message that looks legitimate, go directly to the organization’s website or call them directly without interacting with any links or phone numbers provided in the scam message.”
Novo Nordisk did not immediately respond to a request for comment from Scientific American.
Editor’s Note (6/16/26): This is a breaking news story and will be updated.
