top of page

Novo Nordisk Cyberattack: What Healthcare Leaders Should Know About Cyber Extortion

  • JV
  • 11 minutes ago
  • 8 min read

Novo Nordisk, the Danish pharmaceutical company behind Ozempic and Wegovy, is investigating a cyberattack involving clinical trial information and other sensitive company data.


The company confirmed that an unauthorized party accessed a limited number of internal IT systems and copied nonpublic information outside the organization. The affected data included information associated with some clinical trial participants.


A cyber extortion group called FulcrumSec has claimed responsibility. The group says it spent more than two months inside Novo Nordisk’s network, stole approximately 1.3 terabytes of data, and demanded $25 million.

The group also claims the stolen material includes proprietary drug research, source code, production information, employee and physician records, patient data, and internal artificial intelligence models. Novo Nordisk has not confirmed the full scope of those claims.


Novo Nordisk disclosed the incident on June 11, 2026. The company said its primary business operations continued during the response.


The continuation of Novo Nordisk’s primary business operations is an important sign of resilience during an active cyber incident. It shows that the company was able to keep serving patients, supporting research, and maintaining essential operations while its teams investigated unauthorized access.


Modern cyber extortion creates a difficult challenge because operational continuity and information protection must be managed at the same time. A company may keep its core systems running while investigators work to determine what information was accessed, how it may be used, and who may be affected.


Downtime is immediate and visible. The scope of copied information often takes longer to establish, which is why careful investigation, disciplined communication, and continued protection of patients, research, and business operations all matter.


There is what Novo Nordisk has confirmed, and then there is what the attacker claims. Then there is the question every healthcare and pharmaceutical leader should be asking:


What happens when an organization remains operational while an attacker holds the information that creates the greatest leverage?


What Happened in the Novo Nordisk Cyberattack?

According to FulcrumSec, the stolen material included:


  • Clinical trial data

  • Proprietary information about released and unreleased drugs

  • Source code

  • Employee and physician information

  • Patient information

  • Production-facility data

  • Internal AI material


The group also claims Novo Nordisk rejected a $25 million demand. If accurate, that decision would reflect the difficult but often sound judgment that paying an extortion demand can create additional legal, ethical, and security risks.


Payments may finance further criminal activity, encourage future attacks, and provide no guarantee that stolen information will be deleted, returned, or kept confidential. Depending on the recipient, payment may also raise sanctions or other legal concerns.


Novo Nordisk has confirmed unauthorized access and the copying of some information. It has not confirmed the broader scope described by the attacker.


That distinction is appropriate. Attackers have strong incentives to exaggerate their access, the sensitivity of the material, and the consequences of refusing payment.


An organization responding responsibly must verify the facts, protect affected people, coordinate with legal and security experts, and avoid amplifying unconfirmed claims while the investigation remains active.


Leadership must still make high-stakes decisions before investigators can provide complete answers. Rejecting an extortion demand can be part of a disciplined response that protects the organization, avoids rewarding criminal behavior, and reduces the likelihood of perpetuating the broader extortion economy.

What is Cyber Extortion?

Cyber extortion occurs when attackers use stolen information, disrupted systems, or threats of disclosure to pressure an organization into paying money or meeting another demand.


Earlier ransomware attacks frequently centered on encryption. Criminals locked systems and demanded payment for a decryption key. Modern extortion can unfold while systems remain available.


An attacker may quietly copy information and then threaten to publish it, sell it, contact affected people, approach journalists, or release selected files over time.


Why Pharmaceutical Cyberattacks Create Unusual Risk

A single pharmaceutical breach can touch patients, research pipelines, factories, regulators, and markets at once.


Pharmaceutical organizations may hold:

  • Drug research

  • Clinical trial results

  • Molecular and laboratory data

  • Manufacturing information

  • Regulatory submissions

  • Source code

  • Patient information

  • Employee records

  • Physician relationships

  • AI models

  • Internal communications

  • Strategic plans


One research file may contain years of proprietary work. One clinical trial dataset may create patient, legal, ethical, and reputational consequences at the same time.


One compromised identity may provide access to cloud platforms, research repositories, third-party systems, or internal development tools. A password can be changed. Confidential research cannot be made private again once it begins circulating.

Why Clinical Trial Data Requires Special Protection

Clinical trial participants make medical progress possible by sharing sensitive health information with researchers. Protecting that information requires coordination across a highly complex ecosystem that may include research sites, laboratories, technology providers, cloud platforms, regulatory bodies, and specialized partners.


Novo Nordisk said the affected trial information was pseudonymized and did not include names or other direct identifiers. That safeguard matters. Pseudonymization is designed to reduce the risk that information can be connected to a specific participant, and its use reflects the company’s effort to protect privacy within the research process.


Clinical trial records may still include details such as health conditions, treatment responses, age, sex, or biomarker information. Investigators must therefore examine any unauthorized access carefully, especially when attackers may attempt to combine stolen material with information obtained elsewhere.


Novo Nordisk’s response reflects the responsibility pharmaceutical organizations carry every day: supporting medical research while protecting the people who make that research possible.


That responsibility continues throughout the life of the data. Strong pharmaceutical cybersecurity helps preserve participant privacy, research integrity, and public confidence, even when sophisticated attackers deliberately target the systems and information that advance patient care.


What Healthcare and Pharmaceutical Leaders Should Do Now

An incident response plan can appear complete and still fail under pressure. The real test is whether leaders know who has decision authority, where the most sensitive information resides, which outside experts will be called, and how public claims will be verified.


The quality of the response depends on work completed before the attacker arrives. So, what should healthcare and pharma leaders do now?

Identify the data that would create the greatest leverage

Compliance classifications provide one way to measure sensitivity.


Leadership should also identify information that could create the greatest pressure if it were stolen, altered, sold, or released.


That may include clinical trial data, unreleased research, manufacturing information, executive communications, regulatory strategy, legal material, credentials, and proprietary AI models.


Attackers search for leverage. Organizations should identify it first.


Prepare for data theft without a shutdown

Cyber incident response plans should address:

  • Silent data theft

  • Extortion demands

  • Private-sale threats

  • Staged disclosures

  • Contact with patients or employees

  • Long-term misuse of stolen information


Understand where research information travels

Pharmaceutical data rarely remains inside one system.


It may move among laboratories, cloud providers, research partners, contract organizations, consultants, manufacturers, and regulators.


Leadership needs an accurate picture of where sensitive information resides, who can access it, and how quickly that access can be removed.


During an incident, an incomplete data map becomes an incomplete understanding of the risk.


Practice the executive decisions

Technical teams may know how to isolate systems, preserve evidence, and begin investigating an intrusion. Leadership must be prepared to coordinate the broader decisions that protect patients, employees, research, operations, and organizational trust.


Those decisions may involve:

  • Patient notification

  • Regulatory disclosure

  • Extortion demands

  • Law enforcement coordination

  • Business interruption

  • Legal exposure

  • Board communication

  • Public statements


A tailored tabletop exercise gives executives, legal counsel, communications teams, technical leaders, and operational stakeholders a safe environment to practice those decisions before they face the pressure of a real incident.


Fortalice tabletop exercises simulate realistic cyber events to test readiness, clarify decision authority, and improve communication and coordination across the organization.


Fortalice also offers defender tabletop exercises that stress-test technical incident response playbooks and help security teams move from documented procedures to live execution.


The goal is to identify unclear responsibilities, communication gaps, and escalation challenges while teams still have time to address them.


When an active cyberattack begins, leaders should already know who has authority, who must be involved, and how the organization will protect the people and operations depending on it.

Three Cyber Extortion Questions Leadership Should Answer Now

Before an extortion demand arrives, leadership should be able to answer three questions:


  1. Which information would give an attacker the greatest leverage over our organization?

  2. Who has authority to make legal, operational, communications, and payment-related decisions?

  3. Which outside cybersecurity, legal, and crisis experts are already approved and ready to act?


If the answers are unclear during ordinary operations, they will be harder to find under pressure.


The Leadership Lesson From the Novo Nordisk Cyberattack

The Novo Nordisk cyberattack remains under investigation. The distinction between the company’s confirmed findings and FulcrumSec’s broader claims may become clearer as the investigation continues.


One leadership lesson is already clear. Modern cyber extortion can create serious risk even when essential operations remain available. Novo Nordisk’s ability to continue serving patients, supporting research, and maintaining core business functions during the response reflects the resilience organizations need when confronting a sophisticated attack.


At the same time, leaders must assess concerns that may take longer to understand.

A patient may want reassurance that sensitive health information remains protected. A researcher may worry about the future use of years of scientific work.


Executives may need to make consequential decisions before investigators have established the full scope of the incident.


That is the human reality of a pharmaceutical cyberattack. It requires leaders to protect people, preserve research, sustain operations, and communicate responsibly at the same time.


Novo Nordisk’s response shows why preparation, operational resilience, and disciplined investigation matter. When an attacker creates uncertainty, strong organizations continue their mission while working carefully to protect the people and information entrusted to them.

Frequently Asked Questions About the Novo Nordisk Cyberattack

Was Novo Nordisk hacked?

Novo Nordisk confirmed that an unauthorized party accessed a limited number of internal IT systems and copied some nonpublic information outside the organization.


What data was exposed in the Novo Nordisk cyberattack?

Novo Nordisk confirmed that some information related to clinical trial participants was affected. Potential fields included patient identification numbers, year of birth, sex, and health or immunogenicity information.


FulcrumSec claims it stole a broader collection of data involving drug research, source code, employees, physicians, production facilities, patients, and internal AI material. Novo Nordisk has not confirmed that full scope.


Did hackers demand $25 million from Novo Nordisk?

FulcrumSec claims it demanded $25 million and later considered selling parts of the allegedly stolen information. Novo Nordisk has not publicly confirmed that demand.


Were Novo Nordisk clinical trial participants identified?

Novo Nordisk said the affected information did not include names or other direct identifiers. According to the company, identifying participants would require additional information outside the affected dataset.


What is healthcare cyber extortion?

Healthcare cyber extortion occurs when attackers use stolen information, system disruption, or threats of disclosure to pressure a healthcare or life-sciences organization.


An organization may restore or maintain its systems while still facing legal, personal, commercial, and reputational risk from copied information.


Why are pharmaceutical companies targeted by cybercriminals?

Pharmaceutical companies hold valuable research, clinical trial information, intellectual property, manufacturing details, source code, employee data, patient information, and strategic material.


Attackers may use that information for extortion, resale, fraud, espionage, or future attacks.


What should pharmaceutical leaders do after a data breach?

Leaders should contain unauthorized access, preserve evidence, identify the affected information, involve legal and cybersecurity experts, review reporting obligations, communicate carefully, and prepare for possible future misuse.


They should also distinguish verified findings from claims made by the attacker.


Would Your Leadership Team Be Ready for Cyber Extortion?

Would your leadership team know what to do if the systems were still running, but the information was already gone?


Fortalice helps healthcare, pharmaceutical, and other high-risk organizations prepare for that moment. Its team combines cyber incident response, technical investigation, executive advisory, and crisis preparation to help leaders act clearly when the facts are incomplete and the pressure is rising.


Start with three questions:


  1. Which information would give an attacker the greatest leverage?

  2. Has leadership practiced the decisions a cyber extortion event would require?

  3. Are outside cybersecurity, legal, and crisis experts already approved and ready?


If those answers are unclear, Fortalice can help identify the gaps, test the plan, and strengthen the response before an incident forces the issue. Because the worst time to discover a gap in your response plan is after an attacker already has the leverage. 

About Fortalice Solutions

Fortalice is a cybersecurity firm specializing in cyber incident response, cyber risk management, and cybersecurity for executives, chosen by leaders who need elite, discreet support when cyber incidents threaten operations, reputation, and leadership credibility.


Founded by former White House CIO Theresa Payton, who served in a position defined by trust, discretion, and decision-making at the highest levels, Fortalice brings national-level experience and seasoned judgment to high-pressure, time-sensitive situations where decisions cannot wait and mistakes are costly.


The firm integrates cyber advisory, cyber incident response, technical testing, executive digital protection, and training into a unified approach shaped by real-world incidents and human decision-making, delivering clear, actionable guidance trusted by both executive leadership and security teams.


Connect with Fortalice to ensure trusted, discreet expertise is in place before, during, and after a cyber incident.


 
 
bottom of page