Novo Nordisk Cyber Attack: Patient Data & AI Confirms Hackers

Danish pharmaceutical giant Novo Nordisk has confirmed a cyberattack. Threat actors gained unauthorized access to the company’s internal IT systems, exfiltrating pseudonymized patient data from clinical trials. Additionally, the alleged attackers claim they stole a trove of proprietary AI model assets.

Novo Nordisk disclosed the incident on June 11, 2026, stating that attackers copied “certain non-public data, including personal data” from a limited number of its internal IT systems.

The company, globally recognized as the maker of the weight-loss drugs Ozempic and Wegovy, confirmed that the breach specifically affected patient information associated with some of its ongoing clinical trials.

Affected data categories include patient IDs (random alphanumeric strings), sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as BMI, smoking, and alcohol use.

Critically, the company stressed that no names or direct personal identifiers were exposed. “Based on the nature of the exposed data as pseudonymized, knowledge of patient identity would require access to further information, which was not part of the incident,” Novo Nordisk said in its official statement.

The company does not consider the breach to pose immediate risks to patients, though it has urged affected individuals to remain vigilant.

Healthcare professionals (HCPs) were also impacted, with names, registration numbers, email addresses, phone numbers, WhatsApp details, and office locations exposed.

A threat group calling itself Dragonfly has come forward claiming responsibility and alleging a far deeper intrusion than what Novo Nordisk has publicly confirmed. According to screenshots shared by the group, the stolen data allegedly includes:

• A 16.7 GB trained AI model checkpoint (NovoPert — an internal multimodal model covering text, image, and transcriptomics)
• A 407 MB proprietary biological/chemical training dataset
• Full source code including modeling_novopert.py, train.py, and the complete training pipeline (~50 MB)
• 113 training runs with complete logs
• Internal infrastructure maps covering HPC, Slurm, and SSH configurations.
• 53 GB+ container images
• Developer identities, internal hostnames, and a private GitHub repository URL.

Novo Nordisk has not confirmed these claims, and no ransomware strain has been identified.

The company has temporarily taken the compromised IT systems offline and brought in external cybersecurity experts to assess the full scope of the breach. Relevant authorities have been notified, and Novo Nordisk is working to restore affected systems in a “controlled and safe manner”. Core business operations, including drug manufacturing and distribution, remain fully operational.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.