Security

Clinical trial participant data stolen, but pharma giant says exposed records were pseudonymized

Pharmaceutical giant Novo Nordisk says data related to clinical trial participants was stolen as part of a cyberattack.

The affected patient data was pseudonymized and not directly linked to names or other direct identifiers, the company said.

The maker of the Wegovy weight-loss drug said the affected data types include patient ID, information on trial participation, gender, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors including smoking status, alcohol use, and BMI.

"This information is not directly linked to any patients by name or other direct identifiers," the Novo Nordisk said on its dedicated page for the attack.

"Information about identity would therefore require access to underlying information, identifying patients by name etc. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials."

The same statement confirmed that the attack affected a "limited number of internal IT systems," and the company said some systems have been taken offline as a precaution. 

Although it does not believe there is an immediate risk stemming from the breach, it nonetheless warned patients to remain vigilant for anything that could be connected to the data stolen during the attack.

A separate letter sent to the company's healthcare partners (HCPs) states that additional personal information may have been stolen and could lead to targeted phishing attempts.

Affected HCP data includes names and registration numbers, email addresses, phone numbers, WhatsApp details, and office locations.

"Based on the nature of the exposed data, the potential consequences of the incident include targeted phishing attempts through emails, phone, and WhatsApp, or fraudulent communications impersonating colleagues," Novo Nordisk said in the letter.

"We recommend that you remain vigilant against unexpected messages or calls and report any suspicious activity to us."

The pharma biz warned that it may take time to bring these systems back online, but it is working to do so "in a controlled and safe manner."

Elsewhere, it all sounds like standard practice. Outside experts were called in to help investigate, and Novo Nordisk has not yet confirmed the scale of the breach, nor will it until the experts have more time to assess the damage.

Novo Nordisk added that the attack has had no impact on its core business operations, which remain running as normal.

The attack was announced on what should have been a day of celebration for the company, whose flagship semaglutide weight-loss and diabetes pill received the green light to become the UK's first daily GLP-1 tablet hours earlier.

The Wegovy pill joins the list of approved weight-management treatments that act as agonists for the GLP-1 receptor. All the other approved treatments are injectables, including Wegovy and Ozempic, both of which are also developed by Novo Nordisk.

The Danish company employs roughly 67,900 people across 80 countries, and markets products in nearly every country globally. ®