Danish pharmaceutical giant Novo Nordisk — maker of the blockbuster weight-loss drugs Ozempic and Wegovy — has confirmed a significant cyberattack in which threat actors gained unauthorized access to internal IT systems, exfiltrating sensitive patient data from clinical trials and, according to the alleged attackers, a trove of proprietary artificial intelligence assets.
What Novo Nordisk Has Confirmed
The company disclosed the incident on June 11, 2026, confirming that attackers copied “certain non-public data, including personal data” from a limited number of internal IT systems. The breach specifically affected patient information associated with some of the company’s ongoing clinical trials.
Exposed patient data categories include:
- Patient IDs (random alphanumeric strings — not names)
- Sex and year of birth
- Biomarkers and immunogenicity data
- Health data and lifestyle factors including BMI, smoking status, and alcohol use
Critically, Novo Nordisk stressed that no names or direct personal identifiers were exposed. “Based on the nature of the exposed data as pseudonymized, knowledge of patient identity would require access to further information, which was not part of the incident,” the company said in its official statement. The company does not consider the breach to pose immediate risks to patients, though it has urged affected individuals to remain vigilant.
Healthcare professionals (HCPs) were also impacted, with names, registration numbers, email addresses, phone numbers, WhatsApp details, and office locations exposed.
Alleged Attacker Claims Far Deeper Intrusion
A threat group calling itself “Dragonfly” has come forward claiming responsibility, alleging a far deeper intrusion than what Novo Nordisk has publicly confirmed. According to screenshots shared by the group and amplified by threat intelligence accounts including vx-underground, the stolen data allegedly includes:
- A 16.7 GB trained AI model checkpoint — identified as NovoPert, described as an internal multimodal model covering text, image, and transcriptomics
- A 407 MB proprietary biological and chemical training dataset
- Full source code for the AI model, including modeling_novopert.py, train.py, and the complete training pipeline (approximately 50 MB)
- 113 training runs with complete logs
- Internal infrastructure maps covering HPC, Slurm, and SSH configurations
- 53 GB+ of container images
- Developer identities, internal hostnames, and a private GitHub repository URL
Novo Nordisk has not confirmed these specific claims, and no ransomware strain has been publicly identified in connection with the attack.
Response and Business Impact
Novo Nordisk has temporarily taken the compromised IT systems offline and brought in external cybersecurity experts to assess the full scope of the breach. Relevant authorities have been notified, and the company is working to restore affected systems in a “controlled and safe manner.” Core business operations — including drug manufacturing and distribution — remain fully operational.
Broader Implications for Healthcare and Pharma
This incident highlights an accelerating trend: threat actors are increasingly targeting pharmaceutical companies not just for patient data, but for proprietary AI and research assets. As pharmaceutical companies invest billions into AI-driven drug discovery and development, these intellectual property assets become high-value targets for both financially motivated cybercriminals and potentially state-sponsored actors.
The Novo Nordisk breach also underscores the sensitive intersection of clinical research data and cybersecurity. Even pseudonymized data carries significant re-identification risk when combined with other datasets, and the exposure of biomarkers and health indicators from clinical trial participants raises important privacy and regulatory concerns under frameworks like GDPR and HIPAA.
What Organizations Should Take Away
Pharmaceutical and healthcare organizations should review the security of systems holding clinical trial data, ensuring strong access controls, network segmentation, and comprehensive logging. AI model checkpoints and training datasets — often stored on HPC clusters or cloud infrastructure with less rigorous access controls than production systems — should be treated as critical assets requiring enterprise-grade protection. Insider threat programs and credential hygiene are equally critical given the sophistication of the initial access demonstrated in this attack.