Data breach at Novo highlights clinical trial patient risk

Novo reports data breach affecting clinical trial patients

Understanding the Novo Clinical Trial Data Breach

Data breaches involving clinical trial patient information are a growing cyber threat. The recent data breach at Novo has brought the risks of clinical trial data exposure into sharp focus. In this article, we will explore what happened in the Novo breach, why it matters for organisations handling sensitive health data, and essential steps to improve cybersecurity.

What Happened: Details of the Novo Data Breach

In June 2024, Novo disclosed a data breach affecting clinical trial patient information. The company has urged those impacted to ‘remain vigilant’ following the exposure of personal and potentially medical data. While specific details about the nature of the breach are limited, it is clear that sensitive information was compromised. The breach has raised concerns about the security of data handled by pharmaceutical firms and their partners.

Incidents like this typically involve unauthorised access to databases or systems containing patient data, often through compromised credentials, phishing attacks or vulnerabilities in third-party platforms. The sensitivity of health and clinical trial information makes such breaches particularly serious, as the data can be used for identity theft, phishing, or even targeted fraud.

Why Clinical Trial Data Breaches Are So Significant

Risks to Individuals and Organisations

The focus keyword, ‘clinical trial data breach,’ underscores the primary concern in this incident: the exposure of highly confidential patient information. Clinical trial data often contains not just names and contact details but also medical histories, trial participation data and sometimes genetic information.

  • Patient Trust: Breaches erode trust in healthcare providers and research institutions.
  • Regulatory Consequences: Organisations face hefty fines under data protection laws like the UK GDPR for failing to protect sensitive data.
  • Phishing and Fraud: Exposed data can be weaponised in phishing campaigns or used to commit fraud against patients or staff.
  • Reputational Damage: News of a clinical trial data breach can harm an organisation’s reputation, impacting future participation and partnerships.

Healthcare Sector as a Target

Healthcare organisations and those conducting clinical trials are frequent targets because they store highly valuable personal data. Attackers may seek to exploit weak links in the supply chain, such as third-party vendors with access to trial data or less robust cybersecurity controls.

UK small and medium-sized businesses (SMBs) in healthcare, or those handling sensitive research data, should be particularly alert. They often have fewer resources for security, making them appealing targets for cybercriminals.

Lessons Learned: How Organisations Should Respond

Review Third-Party Data Flows

Many clinical trial data breaches stem from vulnerabilities in third-party systems or processes. Organisations must:

  • Map all third-party data flows to understand where sensitive data is sent or stored.
  • Assess supplier security practices and contractual obligations regarding data protection.
  • Regularly audit third-party access rights and revoke unnecessary permissions.

Reinforce Phishing Detection and Staff Awareness

Phishing remains a leading cause of data breaches. Training staff and trial participants to recognise suspicious emails or messages is critical. Consider the following steps:

  • Deploy phishing simulation campaigns and provide regular training updates.
  • Encourage a culture of reporting suspected phishing attempts without fear of reprisal.
  • Implement technical controls, such as email filtering and multi-factor authentication.

Strengthen Incident Response and Notification Processes

Swift and effective incident response can reduce the impact of a clinical trial data breach. Organisations should:

  • Maintain an up-to-date incident response plan that includes legal and communications teams.
  • Test the plan regularly with realistic tabletop exercises.
  • Ensure clear procedures exist for notifying affected individuals and regulators promptly, as required by the UK GDPR.

Best Practices to Prevent Clinical Trial Data Breaches

Robust Data Protection Measures

Preventing a clinical trial data breach starts with strong data security fundamentals:

  • Encrypt sensitive data both at rest and in transit, reducing the risk if data is accessed unlawfully.
  • Limit access to clinical trial data on a need-to-know basis, using role-based access controls.
  • Regularly patch and update all systems, especially those used for storing or sharing patient data.

Continuous Monitoring and Threat Detection

Real-time monitoring of systems can help organisations spot and respond to suspicious behaviour before it leads to a full breach:

  • Deploy Security Information and Event Management (SIEM) tools to detect anomalies.
  • Monitor for signs of unauthorised access or large data exports.
  • Set up alerts for unusual account activity, especially for privileged users.

Data Minimisation and Retention Policies

Storing only the data you need, and for no longer than necessary, reduces the impact if a breach occurs:

  • Review and minimise the volume of personal data collected during clinical trials.
  • Establish clear retention schedules and securely delete data when it is no longer required.

Conclusion: Building Resilience Against Clinical Trial Data Breaches

The Novo incident is a reminder that protecting clinical trial data is not optional. The risks of a clinical trial data breach extend beyond financial penalties, threatening patient trust and organisational reputation. By mapping third-party data flows, reinforcing phishing detection, and preparing robust incident response plans, organisations can reduce risks and respond effectively if a breach occurs.

Staying informed about cyber threats, investing in staff awareness, and adopting best practices are essential for any organisation handling sensitive health data. Proactive steps today will help protect both patients and your organisation from the serious impacts of a clinical trial data breach.

Originally reported by Unknown.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Author
Rob McBride Headshot - CyPro Partner and leading cyber security expert
Rob McBride
Category
Published
Jun 11 - 2026
Post Tags
  • clinical trial
  • data breach
  • healthcare cybersecurity
  • incident response
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call