Health IT Very Bearish 9

1 TB of Novo Nordisk Data Stolen: 11,500 Clinical Trial Patients Exposed

· 4 min read · Verified by 2 sources ·
Share

Key Takeaways

  • A cyber extortion group claims to have stolen over a terabyte of data from pharmaceutical giant Novo Nordisk, including clinical trial data of 11,500 patients.
  • While some sensitive data is being withheld, the breach highlights critical vulnerabilities in healthcare data security and could trigger regulatory scrutiny under GDPR and other frameworks.

Mentioned

Novo Nordisk company NVO FulcrumSec organization Thomas Willkan person Lab-1 company

Key Intelligence

Key Facts

  1. 1FulcrumSec claims to have stolen more than 1 terabyte of data from Novo Nordisk after a two-month network intrusion.
  2. 2The stolen data includes source code, proprietary drug information (released and unreleased), clinical trial data, employee/physician/patient records, AI model details, and production facility operational technology.
  3. 3The group demanded a $25 million ransom payment, which Novo Nordisk refused; FulcrumSec is now exploring private sales of certain drug-related data.
  4. 4Novo Nordisk disclosed a cybersecurity incident on June 11, acknowledging unauthorized access to a limited number of internal IT systems and the exposure of some personal data.
  5. 5FulcrumSec says it will withhold data on 11,500 clinical trial patients, thousands of employees and physicians, and operational technology software as part of a harm-reduction policy.
  6. 6Thomas Willkan, head of research at Lab-1, stated FulcrumSec is “usually quite legit in terms of both their capabilities and also their claims,” lending credibility to the breach assertion.
Clinical Trial Patients Exposed
11,500

FulcrumSec claims to have stolen pseudonymised clinical trial data of 11,500 patients but says it will withhold this data as part of a harm-reduction strategy.

Who's Affected

Patients
groupNegative
Novo Nordisk
companyNegative
Health Regulators
organizationNegative
Clinical Trial Partners
organizationNegative

Analysis

For healthcare organizations, the breach of a pharmaceutical giant like Novo Nordisk is a stark reminder of the patient privacy risks inherent in digital transformation. With 11,500 pseudonymised clinical trial patients and employee and physician data now potentially compromised, the incident could have far-reaching consequences under GDPR and other health data regulations. The ripple effects may extend to trust erosion in clinical trials and heightened demand for stronger identity management in health IT systems.

A cyber extortion group known as FulcrumSec has publicly claimed to have stolen more than a terabyte of data from pharmaceutical giant Novo Nordisk, demanding $25 million in ransom. The group, which first appeared in October 2025 and has been described by security researchers as credible in both capabilities and claims, says it spent over two months inside Novo Nordisk’s networks exfiltrating a broad range of sensitive information. The stolen data reportedly includes company source code, proprietary details on released and unreleased drugs, clinical trial data, personal information on employees, physicians, and roughly 11,500 pseudonymised patients, as well as information about production facilities and internal AI models. After Novo Nordisk refused to pay, FulcrumSec said it is exploring private sales of certain drug-related data and may open-source the remainder as a deterrent tactic.

A cyber extortion group known as FulcrumSec has publicly claimed to have stolen more than a terabyte of data from pharmaceutical giant Novo Nordisk, demanding $25 million in ransom.

The incident first came to light when Novo Nordisk disclosed a cybersecurity breach on June 11 that it characterized as unauthorized access to a limited number of internal IT systems involving some personal data. FulcrumSec, however, paints a far more extensive picture. In a message posted on its site on June 16 and in subsequent email exchanges with Reuters, the group detailed a timeline that suggests initial contact was made with unnamed executives around June 1, with the company responding two days later via a Proton Mail address for verification. Novo Nordisk confirmed to Reuters that it is aware of the published claims and is coordinating with authorities, but would not comment further on the scale of the breach.

The implications for Novo Nordisk are severe. The company, best known for its blockbuster obesity and diabetes treatments, faces not only potential regulatory penalties under GDPR and other data protection laws but also the risk that proprietary research could fall into competitors’ hands. While FulcrumSec says it will withhold employee, physician, and patient data as part of a “harm-reduction strategy,” the release or sale of drug-related intellectual property could undermine years of R&D investment. Thomas Willkan, head of research at cybersecurity firm Lab-1, who has tracked FulcrumSec closely, noted that the group’s claims are usually legitimate, adding credibility to the threat.

From a broader sector perspective, this incident underscores the growing targeting of pharmaceutical companies by sophisticated cyber extortion groups. The stolen data categories—ranging from unreleased drug information to internal AI models—reflect an understanding of which assets hold the most value, both for ransom leverage and for potential resale. The two-month dwell time indicates careful planning and a high degree of network penetration, likely evading detection while systematically mapping and exfiltrating data. FulcrumSec’s public stance on harm reduction is a notable evolution in extortion tactics; by selectively withholding certain data, the group seeks to differentiate itself and possibly apply moral pressure while still maximizing profitability.

What to Watch

The theft of AI model information is particularly troubling given the pharmaceutical industry’s increasing reliance on machine learning for drug discovery and process optimization. If the exfiltrated models contain proprietary algorithms or training data, competitors or state-sponsored actors could gain a shortcut to Novo Nordisk’s innovations. Additionally, the inclusion of operational technology and software used to interact with sensors and machinery at production facilities raises the specter of industrial sabotage, though FulcrumSec has pledged not to release that data.

Looking ahead, the incident is likely to spur regulatory scrutiny and force a reevaluation of cybersecurity budgets across the pharma sector. With FulcrumSec still active and threatening to sell data privately, Novo Nordisk faces ongoing uncertainty. The market reaction—reflected in a modest decline in Novo Nordisk’s share price—suggests investors are weighing the potential long-term damage against the company’s robust fundamentals. How Novo handles the post-breach response, including its transparency with patients and partners, will be critical in shaping its reputation and legal exposure.

How we covered this story

Every story in our healthcare coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the healthcare space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.