Novo Nordisk reported an IT security incident in June 2026 that involved unauthorised access to a limited number of internal IT systems and the copying of certain non-public information, including personal data, according to the company’s public statement and subsequent media reporting. Shortly after the company announcement, threat actors claiming responsibility — including a group calling itself FulcrumSec — publicly asserted they had exfiltrated data and demanded ransom payments; those assertions remain under investigation and have not been independently verified in full.
The company’s decision not to pay reported extortion demands may have been prudent; however, the public disclosures and attacker claims mark the start of a complex legal and regulatory process for organisations advising pharmaceutical clients.
What Was Allegedly Taken
Threat-actor statements and media coverage allege large-scale data exfiltration, including clinical trial information, healthcare provider contact details, intellectual property, and internal AI assets; some reports cite figures such as ~1.3 TB and hundreds of thousands of files, but these numbers are currently attacker- or media-sourced and should be treated as alleged rather than confirmed. Novo Nordisk has confirmed that some personal data was copied externally while investigations continue.
Why AI Model Theft Changes the Legal Risk Profile
Traditional data-breach responses focus on notification, regulatory inquiry, and potential class actions. When proprietary AI models or pipelines are alleged to be among the exfiltrated assets, the legal exposure can broaden substantially because these trained models may embody significant proprietary investment and operational know-how.
Companies have moved from “using” third-party AI to building agent-like models trained on years of trial, manufacturing, and clinical data. If such an agent is stolen, it may function as a compressed form of intellectual property that a competitor could deploy, which is a different category of loss from a conventional stolen database
Trade Secret and GMP Considerations
If stolen models or related materials meet legal criteria for trade secrets, that can trigger claims under trade-secrets frameworks (for example, the EU Trade Secrets Directive or the US Defend Trade Secrets Act), subject to jurisdictional rules and proof requirements. Similarly, regulators expect validated systems used in GxP processes to maintain data integrity; if validated systems or their outputs are shown to be compromised, affected parties may face revalidation requirements and regulatory scrutiny — outcomes that depend on investigative findings and are not automatic
Regulatory Exposure: GDPR and NIS2
This multinational pharmaceutical company operates across the EU, so several regulatory regimes may apply.
- GDPR: Clinical-trial data — even when pseudonymized — can be personal data under GDPR definitions, and health-related trial data is a special category, which attracts heightened protections, including the 72-hour notification framework under Article 33 where applicable; any regulatory assessment of compliance with technical and organisational measures will be fact-specific.
- NIS2: The EU’s NIS2 framework classifies certain entities as essential and raises cybersecurity obligations and supervisory oversight for firms in scope; non-compliance can increase exposure for senior management depending on local transposition and enforcement practices.
- Clinical Trials Regulation: If the integrity of trial data is materially affected, sponsors and investigators may face additional notification obligations under the Clinical Trials Regulation; whether those obligations are triggered depends on the facts established by the investigation and applicable national rules.
Healthcare Provider Data: Secondary Litigation Risk
Public reporting indicates that contact details for healthcare professionals may have been among the copied information; such exposures can generate downstream phishing, impersonation, and social-engineering risks for healthcare providers and create a secondary litigation vector for the data controller if demonstrable harm occurs. Legal teams should evaluate downstream liability and notify relevant stakeholders as appropriate
Common Gaps Legal Teams Should Address Now
This incident highlights recurring gaps observed in large-scale pharma environments:
- API credential hygiene and rotation protocols (attacker claims have pointed to credential misuse or unrotated keys).
- Cloud configuration and vendor management controls for cloud-based assets.
- Formal classification and documentation of AI models and algorithmic assets for trade-secret protection.
- DSAR-ready workflows and resourcing to meet tight regulatory notification windows.
- Pre-authorized incident response vendor relationships and retainer scopes that explicitly include intellectual property and AI-asset incidents.
What Law Firms Advising Pharma Clients Should Do Immediately
Legal advisors should prioritise the following actions for clients with potential exposure:
- Review NIS2 readiness and director-level accountability for in-scope entities.
- Map AI and proprietary algorithmic assets against trade-secret criteria and assess documentation supporting ownership and secrecy.
- Audit processing and transfer arrangements for trial vendors and CROs to understand the chain of liability.
- Ensure DSAR response protocols can operate under the 72-hour GDPR clock and similar regulatory timelines.
- Confirm incident response retainers and vendor scopes explicitly include AI/IP theft scenarios, not only conventional data exfiltration.
How Aeren LPO Supports Cyber Incident Response
Aeren LPO provides law firms and corporate legal departments with rapid, scalable support across the full cyber incident response lifecycle. Our teams handle breach document review, data subject access request processing, privilege log preparation, regulatory notification drafting, and eDiscovery workflows — enabling attorneys to focus on strategy and client counsel while we manage volume and defensibility.
We are structured to deploy within hours and to document actions defensibly for regulatory and litigation contexts.
Contact Aeren LPO
Have questions or need expert legal and operational support?
Explore Cyber Incident Response Review
Strengthen your organization’s preparedness with our tailored review.