Novo Nordisk A/S recently identified an IT security incident involving unauthorised access to a limited number of internal IT systems. The incident included unauthorised access to certain personal data stored on the internal IT systems.
As we place the highest priority on security and data protection, we provide the following information to patients participating in our clinical trials.
The incident affected a limited amount of information related to patients participating in some of our clinical trials. This information is not directly linked to any patients by name or other direct identifiers. Information about identity would therefore require access to underlying information, identifying patients by name etc. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials.
This communication serves as information only and there is no need for our patients to take any specific action as a result of the incident.
The involved categories of personal data about affected patients include the following:
- Patient ID (random alphanumeric string) and information on trial participation
- Sex
- Year of birth
- Biomarkers
- Health/immunogenicity data
- lifestyle factors, e.g. smoking, alcohol use, BMI
The exposure of your data does not necessarily include all categories listed above
Based on the nature of the exposed data as pseudonymized, knowledge of patient identity would require access to further information, which was not part of the incident. We therefore do not consider the incident to bear any immediate risks for our patients.
We do, however, recommend that our patients remain vigilant and report to us if anything unusual is encountered that is believed could be linked to the incident.
Following the incident, we launched an investigation with the assistance of cybersecurity experts and have taken steps to address the situation. As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment. We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time.
Our core business operations are not impacted and remain up and running.
Protecting the security and integrity of our systems, including personal data of our employees, customers, patients and stakeholders, remain our highest priorities.
Any questions can be directed to privacy@novonordisk.com.
- Novo Nordisk has identified an IT security incident involving unauthorised access to a limited number of internal IT systems.
- After learning of the incident, we launched an investigation with the assistance of external cybersecurity experts to address the incident and we are in contact with the relevant authorities.
- As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment. We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time.
- Our core business operations are not impacted and remain up and running.
- Our investigation is ongoing.
- Novo Nordisk has identified an IT security incident involving unauthorised access to a limited number of internal IT systems.
- After learning of the incident, we launched an investigation with the assistance of external cybersecurity experts to address the incident, and we are in contact with the relevant authorities.
- While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate.
- While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate.
- Our investigation is ongoing.
- We will inform the impacted parties as appropriate.