Novo Nordisk, the Danish pharmaceutical company and maker of Ozempic, Wegovy, and other high-profile GLP-1 receptor agonist products, has disclosed a cybersecurity incident in which unauthorised actors gained access to company IT systems containing personal data of clinical trial participants. The breach was identified during routine security monitoring and disclosed in accordance with GDPR Article 33 requirements on 15 June 2026, with notification to the Danish Data Protection Authority (Datatilsynet) and relevant supervisory authorities in other affected jurisdictions.
The company confirmed that data systems associated with clinical research programmes were among those accessed, but stated that manufacturing systems, product safety databases, and patient pharmacovigilance systems were not affected.
What Was Exposed
Novo Nordiskβs disclosure indicates that the accessed systems contained data associated with clinical trial participants enrolled in research studies for its diabetes and obesity treatment portfolio, which includes Ozempic (semaglutide injection), Wegovy (semaglutide 2.4mg), and related investigational compounds.
Clinical trial participant data at pharmaceutical companies typically includes:
- Personal identification data: names, dates of birth, national identity numbers or social security numbers (used for trial eligibility verification)
- Medical information: diagnosis, concomitant medications, adverse event reports, and protocol-mandated assessments β all of which constitute special category data under GDPR Article 9
- Contact information: residential addresses and telephone numbers used for trial follow-up and safety monitoring
- Genetic and biometric data where collected under trial protocols, which also qualifies as special category data
Novo Nordisk has not disclosed the total number of affected individuals or the specific trials involved, citing the ongoing investigation. The company stated that affected trial participants are being notified individually through the clinical trial site investigators responsible for their care.
Regulatory and Compliance Implications
Clinical trial participant data sits at the intersection of multiple regulatory frameworks, each with distinct obligations that go beyond standard GDPR breach notification:
ICH GCP E6(R3) (Good Clinical Practice guidelines) requires trial sponsors to maintain the confidentiality of trial participant identity and to notify affected parties and regulatory authorities when trial data is compromised. The European Medicines Agency (EMA) is separately notifying national competent authorities in EU member states where the affected trials were conducted.
EU Clinical Trials Regulation (EU/CTR 536/2014) requires sponsors to protect participant confidentiality and obliges them to report incidents affecting trial data integrity to the competent authority and ethics committee for each trial. Depending on the nature of the breach, competent authorities may require protocol amendments or additional safety monitoring for affected trials.
GDPR Article 9 obligations for special category health data are more stringent than for ordinary personal data β controllers must demonstrate specific lawful bases for processing and ensure enhanced security measures. A breach involving health data may attract higher maximum GDPR fines (4% of global annual turnover).
Why Clinical Trial Data Is Attractive to Threat Actors
The commercial value of clinical trial data extends beyond the individual privacy harm to affected participants. Novo Nordiskβs GLP-1 portfolio β including Ozempic and Wegovy β represents one of the most commercially significant pharmaceutical product lines in history, with annual revenues exceeding $20 billion. Trial data for compounds in late-stage development contains:
- Efficacy and safety data that competitors could use to accelerate rival drug development programmes, reducing the timeline advantage that clinical investment delivers
- Participant recruitment and retention strategies for high-demand trials, which are operationally valuable for competing trial sponsors
- Adverse event data that, if disclosed selectively, could influence competitor regulatory submissions or investor perceptions of a productβs safety profile
Nation-state pharmaceutical espionage β most recently documented in the Silk Typhoon campaign targeting COVID-19 vaccine research β remains an active threat, and high-value pharmaceutical research represents a persistent targeting priority for economic espionage actors.
Recommended Actions for Life Sciences Organisations
- Segment clinical trial data systems from general corporate IT infrastructure β trial participant data should reside in access-controlled environments with distinct identity boundaries from the rest of the enterprise directory
- Implement enhanced monitoring on systems holding ICH GCP-regulated data β anomalous bulk access or export activity on clinical data repositories should trigger immediate investigation rather than routine security review
- Review data retention and access policies for trial participant records β ICH GCP permits destruction of trial participant data after the study close-out period; organisations retaining data beyond this period increase their breach surface unnecessarily
- Maintain a current mapping of which clinical systems hold what categories of participant data β regulatory breach notification timelines require rapid assessment of scope; organisations without this mapping will be unable to meet 72-hour notification requirements
- Brief your ethics committees and clinical trial investigators β investigator responsibilities include informing participants of material changes to data handling, and they will need to support participant notification if they are the documented contact for enrolled participants
Share this article