Novo Nordisk Discloses Clinical Trials Data Breach
Danish pharmaceutical giant Novo Nordisk, the world's largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials. The company, founded in 1923, employs around 67,900 people across 80 offices worldwide and is the maker of viral GLP-1 receptor agonist drugs Wegovy and Ozempic.
The company revealed that attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs (random alphanumeric strings) and information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors (e.g., smoking, alcohol use, BMI). However, Novo Nordisk said that this data was pseudonymized and that the attackers can't use it to identify any affected patients by name.
Breach Details
Novo Nordisk stated,
While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate.The company emphasized that
This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials.
The data breach also affects an undisclosed number of healthcare professionals (HCPs), whose names, registration numbers, e-mail addresses, phone numbers, WhatsApp details, and office locations have been exposed. Novo Nordisk warned affected HCPs to be wary of unexpected messages or calls, as they may be targeted in phishing attacks via e-mail, phone, WhatsApp, or fraudulent messages impersonating their colleagues.
Response and Investigation
The company has taken the compromised internal IT systems offline but noted that its core business operations were not impacted. Novo Nordisk is now investigating the incident with the help of external cybersecurity experts to assess the full impact and scope of the breach. The company stated,
We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time. Our core business operations are not impacted and remain up and running.
Novo Nordisk has yet to disclose when the breach was detected and how many individuals had their personal and patient data exposed. When BleepingComputer reached out for more details on the attack, a Novo Nordisk spokesperson referred them back to the company's press release.
Security Measures
The breach highlights the importance of robust security measures to protect sensitive data. According to a Picus whitepaper, 54% of successful attacks are logged by security teams, while only 14% of alerts are triggered. The rest of the attacks move through the environment undetected, emphasizing the need for breach and attack simulation tests to ensure SIEM and EDR rules are effective in stopping threats.
- Related breaches include the Tchap messenger breach affecting over 73,000 French government employees.
- The 7-Eleven data breach claimed by the ShinyHunters gang.
- The GitHub repo breach linked to the TanStack npm supply-chain attack.
- The ADT data breach affecting 5.5 million people.
Source: BleepingComputer