Clinical Trial Data Stolen in Novo Nordisk Cyberattack

Posted by Steve Alder

Novo Nordisk, the Danish pharmaceutical firm behind the GLP-1 weight loss drugs Ozempic and Wegovy, has experienced a cyberattack that exposed the data of healthcare providers and patients enrolled in clinical trials. According to the company’s June 11, 2026, breach notice, a threat actor gained access to a limited number of its internal systems, and certain personal data stored on those systems was exfiltrated by the attackers. It is currently unclear when the intrusion was detected or for how long hackers had access to its systems, and the threat group behind the attack has yet to publicly claim responsibility.

The exposed data related to certain patients who took part in its clinical trials; however, the risk to those patients is limited, as the exfiltrated data was deidentified. Patient names were not exposed; only the ID numbers used to identify specific patients participating in clinical trials. The ID numbers consist of random alphanumeric strings. Other compromised information was limited to sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors, such as BMI, whether the patient was a smoker, and information about their alcohol usage.

Novo Nordisk said that because the exposed data was pseudonymized, patients cannot be identified from the exposed information without further information from another source, therefore, patients are not believed to face any immediate risks. Patients have been advised to remain vigilant and to contact Novo Nordisk if they identify any suspicious activity that they believe may be linked to the incident.

When the attack was detected, certain systems were taken offline as a precaution while the incident was investigated, and Novo Nordisk is working to bring the systems back online safely and securely. The company said the cyberattack has had no impact on its core business operations, which remain up and running. The forensic investigation and data review are ongoing, and Novo Nordisk has yet to determine the number of individuals affected.

Certain healthcare providers have been affected by the incident, and they are currently being notified. The information stolen in the attack varies from provider to provider, and may include information such as the company name, registration number, contact email address, phone number, office location, and WhatsApp details. Since contact information has been compromised, healthcare providers are potentially at risk of phishing or social engineering attacks and should therefore remain vigilant.

The post Clinical Trial Data Stolen in Novo Nordisk Cyberattack appeared first on The HIPAA Journal.

Business Associates Face Increased Regulatory Scrutiny as Vendor Breaches Soar

Posted by Steve Alder

The healthcare industry has the highest rate of third-party data breaches out of any sector, according to the Verizon Data Breach Investigations Report (DBIR), and third-party data breaches are increasing.

The HHS’ Office for Civil Rights (OCR) publishes information on data breaches impacting 500 or more individuals on its data breach portal. Currently, the breach portal shows that in the 9 years from 2009 to 2017, an average of 20% of healthcare data breaches had business associate involvement. For the following 9 years, from 2018 to 2026, an average of 34% data breaches had business associate involvement. In the first 6 months of 2026, that percentage rose to 43%.

business associate involvement in healthcare data breaches - 2017 - 2026
Modern healthcare relies heavily on third-party vendors to perform a huge range of functions. Vendors are used for revenue cycle management, transcription, medical supplies, telemedicine, IT services, cybersecurity, and provide a huge range of software solutions, SaaS platforms, AI tools, and electronic medical records. A typical U.S. health system could have anywhere from 500 to 2,000 active vendors and a massive attack surface to defend. Each vendor is a potential security weak point, and threat actors are actively targeting vendors, as there are often vulnerabilities that can be easily exploited.

A cybercriminal operation can target a healthcare provider, gain access to their network, steal a huge amount of patient data, and demand a ransom payment to prevent the leaking of that data. Data encryption with ransomware is often thrown into the mix to cause maximum disruption.
An attack on a vendor can be much more profitable for the threat actor. Vendors are often provided with large amounts of protected health information from their various healthcare clients to allow them to perform their contracted duties. Breaching a vendor’s network can give the threat actor access to that data, and potentially privileged access to the networks of each of the business associate’s clients. It takes far less effort to attack a vendor and abuse the vendor’s access to clients’ systems than to attempt to breach each client’s network individually.

In 2015, 5% of individuals affected by healthcare data breaches had their data compromised in incidents involving business associates. That percentage jumped to 65% in 2025, highlighting why business associates are such attractive targets. Two of the top three healthcare data breaches of all time occurred at business associates: The 2024 hack of Change Healthcare and the 2025 attack on Conduent Business Services, which combined, affected almost 255 million individuals.

Vendors Facing Increased Regulatory Scrutiny

The HIPAA Omnibus Rule of 2013 made business associates directly liable under HIPAA for violations of the HIPAA Security Rule and certain requirements of the HIPAA Privacy Rule. In recent years, business associates have faced increased regulatory scrutiny, and OCR has imposed several financial penalties to resolve HIPAA compliance failures. In the past two years, OCR has imposed financial penalties on Consociate, Inc., MMG Fusion, BST & Co. CPAs, Comstar, Health Fitness Corporation, USR Holdings, Virtual Private Network Solutions, and Elgon Information Systems to resolve alleged HIPAA violations.

OCR has been encouraging covered entities to address vendor risk through its voluntary cybersecurity performance goals, and mandatory new requirements are now due to be finalized. The proposed update to the HIPAA Security Rule contains several provisions for addressing third-party risks from business associates and their subcontractors in an effort to reduce the volume of third-party data breaches.

The proposed measures include greater vendor security oversight, written verifications from business associates that their cybersecurity measures meet or exceed HIPAA requirements, and for those requirements to be certified by a person of authority at the business associate. Further, the proposed elimination of the distinction between addressable and required implementation specifications removes a great deal of the flexibility of the current Security Rule, which means greater investment in cybersecurity for business associates.

The proposed rule has progressed through the comment period and is edging close to a final rule, with the provisional May 2026 release date already having passed. Over the coming 12 months, business associates can expect more prescriptive regulatory cybersecurity requirements, upstream pressure for verification of cybersecurity measures, and further regulatory scrutiny from federal and state regulators.

Now is the Time for Action

While business associates are likely to be given at least 8 months to comply with the new Security Rule requirements, there is no better time than the present to improve security and reduce the risk of cyberattacks, data breaches, and regulatory penalties. One of the best places to start is a comprehensive risk analysis and assessment of the current state of cybersecurity to feed into your risk management plan, and an assessment of your current HIPAA compliance program to ensure you are fully compliant and to identify the areas where action is required to comply with the proposed security requirements.

The post Business Associates Face Increased Regulatory Scrutiny as Vendor Breaches Soar appeared first on The HIPAA Journal.