Patient information exposed in breach, says Novo Nordisk

News
Cables for computing network, dark shading
Scott Rodgerson

Novo Nordisk has become the latest pharma group to be targeted by a cyberattack, with the company revealing that some patient data has been "copied externally without authorisation."

Preliminary investigations by the company have found that the breach involved "a limited number of internal IT systems" and included information related to "patients participating in some of [their] clinical trials," including patient identification numbers, sex, birth year, and health-related data on things like lifestyle habits, biomarkers, and illnesses.

Novo Nordisk has stressed that the data was pseudonymised, so, actually identifying the individuals involved in the breach would require access to additional information.

"We therefore do not consider the incident to bear any immediate risks for our patients," said the Danish pharma company in an incident report. "We do, however, recommend that our patients remain vigilant and report to us if anything unusual is encountered that is believed could be linked to the incident."

The investigation is still in its early stages and, as yet, there are no indications of the motivation behind the attack. In the case of life sciences organisations, attackers generally try to harvest intellectual property and other trade secrets, sensitive employee and partner information, and patient data that can be offered for sale, lock out IT systems for extortion purposes, or even result from geopolitical tensions, such as the recent attack on US medtech firm Stryker, for which an Iranian hacker group claimed responsibility.

Extortion was the motivation in the notorious 2017 NotPetya attack on MSD/Merck & Co, which is estimated to have cost the group around $1.4 billion to resolve. However, it's worth noting that more recent incidents – such as the breaches affecting the UK Biobank and AstraZeneca that emerged in March – have resulted in the data being offered for sale.

There are no reports yet of any Novo Nordisk data being mentioned on the Dark Web or other sources, or of any ransomware strain being identified.

"Following the incident, we launched an investigation with the assistance of cybersecurity experts and have taken steps to address the situation," said Novo Nordisk, which noted that "protecting the security and integrity of our systems and delivering reliable products and support to patients remain our highest priorities."

"As part of our response, multiple security measures have been taken, including temporarily taking certain internal IT systems offline to protect our environment," added the company. "We are working to bring the affected systems back online in a controlled and safe manner; however, we acknowledge this process takes time."

Photo by Scott Rodgerson on Unsplash

Deep Dive
Why pharma needs honest patient dialogue

Why pharma needs honest patient dialogue

Astellas Pharma US president Percival Barretto-Ko talks with Dr Paul Tunnah about drug pricing, collaboration and improving the patient experience.