A claimed breach at Novo Nordisk is putting more than patient privacy under the microscope.
Hackers from FulcrumSec say they stole 1.3TB of data from the Danish pharmaceutical giant behind Ozempic and Wegovy after spending more than two months inside its systems, according to Reuters. Novo Nordisk has confirmed unauthorized access to a limited number of internal IT systems, but the full scope and authenticity of the hackers’ claims remain unverified.
The incident points to a broader security problem for healthcare and pharmaceutical companies: clinical trial data, developer credentials, proprietary research, and internal AI assets are becoming prime targets.
Hackers claim 1.3TB theft from Novo Nordisk after $25M demand
According to Reuters, FulcrumSec claimed it spent more than two months inside Novo Nordisk’s networks and was exploring private sales of some stolen data after the company refused to pay $25 million. Reuters said it could not immediately verify the authenticity of the data posted by the group.
Novo Nordisk said in its incident update that it had identified “unauthorised access to a limited number of internal IT systems”.
The company reported that the incident involved some personal data related to clinical trial patients, but that the data was pseudonymized and not directly linked to names or other direct identifiers.
“This communication serves as information only, and there is no need for our patients to take any specific action as a result of the incident,” Novo Nordisk stated.
The company highlighted that the exposed categories may include patient IDs, trial participation information, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as smoking, alcohol use, and BMI. It also said core business operations remain up and running.
What FulcrumSec claims it stole
FulcrumSec claimed the stolen data included proprietary information on released and unreleased drugs, trial data, employee, doctor, and patient data, source code, processing facility information, and internal AI model information, according to Reuters.
BankInfoSecurity reported that FulcrumSec began leaking samples it claimed came from the stolen data. The outlet said the group claimed the trove included login screenshots, clinical trial-related information, details tied to AI models, 30 trained AI models, 70 datasets, and 494 gigabytes of proprietary cell painting microscopy images.
FulcrumSec also claimed it gained initial access in March via exposed credentials, including an Azure Container Registry credential and a GitHub personal access token. Those claims have not been independently confirmed.
The group said it would not share some data, including information tied to employees, physicians, and about 11,500 pseudonymized clinical trial patients, as part of what it called a harm-reduction strategy.
Must-read security coverage
Why this matters beyond Novo Nordisk
Healthcare breaches often raise privacy concerns first, but this case also highlights risks to intellectual property, AI security, and research integrity.
“Clinical trial data – for example, testing on human subjects – is one of the most valuable types of data that can be held by a healthcare sector organization,” Mike Hamilton, CISO emeritus at Datec, told BankInfoSecurity.
The potential exposure of drug research and AI models adds a business risk. Pharmaceutical companies spend years and large budgets developing compounds, testing treatments, and refining research systems. Stolen data could be sold, leaked, or used to accelerate competing research.
The incident also highlights a familiar security problem: long dwell time. FulcrumSec claimed it remained inside Novo Nordisk’s environment for more than two months. If accurate, that would raise questions about detection, access controls, credential management, and monitoring in sensitive research environments.
Novo Nordisk noted it launched an investigation with cybersecurity experts, took steps to address the incident, and temporarily brought certain internal IT systems offline to protect its environment.
The main takeaway is not limited to healthcare. Companies holding high-value research, regulated data, or proprietary AI assets need to treat identity, developer credentials, and research platforms as core security priorities rather than back-office systems.
A threat actor claims Nintendo was breached and is demanding $2 million. Here’s what to know.
