Novo Nordisk, the Danish pharmaceutical company behind some of the world's most prescribed diabetes and obesity drugs, was struck by two separate threat actors who collectively demanded $75 million in ransom — and reportedly received nothing. The case, reported by DataBreaches.net on June 16, is unusual not for the scale of the demands but for the fact that two independent criminal groups appear to have compromised the same organization around the same time, each unaware of the other.

What happened

The first intrusion was claimed by a group calling itself FulcrumSec, which published a detailed technical report on its dark web leak site describing what data it acquired from Novo Nordisk and how it obtained access. FulcrumSec demanded $50 million.

A second actor separately contacted DataBreaches.net via Signal, claiming an independent breach of the same company and demanding $25 million. The two groups appear to have operated without coordination, a scenario known in threat intelligence as concurrent or overlapping compromise — where a single organization's unresolved vulnerability or access gap is exploited by more than one actor.

Novo Nordisk did not pay either demand, according to the reporting.

Why concurrent compromise matters for healthcare organizations

The Novo Nordisk situation illustrates a pattern that security researchers have documented at hospitals, health systems, and healthcare vendors: once an organization has an exploitable entry point — an unpatched system, a misconfigured credential store, an unmonitored remote access channel — it does not remain available to only one attacker.

Pharmaceutical companies occupy a position adjacent to clinical care and are frequently subject to HIPAA-adjacent data obligations depending on the nature of their US operations, clinical trial data handling, and business associate relationships with covered entities. A breach at a major drug manufacturer can affect supply chain visibility, patient safety communications, and the integrity of clinical data that downstream health systems depend on.

The dual-demand scenario also creates a specific compliance complication: an organization that believes it has contained one incident may still have an active intruder operating through a separate access path. Incident response plans that assume a single threat actor at a time can miss this.

What this signals for independent practices

Independent practices and smaller health systems are unlikely to face $50 million extortion demands, but the structural lesson applies at any scale. Two conditions made the Novo Nordisk situation possible: an initial access failure that was apparently not remediated quickly enough to prevent a second actor from exploiting it, and a period during which neither compromise was detected.

For practice administrators and compliance officers, the relevant questions are:

• Access path inventory. Are all remote access channels — VPN, remote desktop, vendor-managed portals — enumerated and monitored for anomalous authentication patterns?
• Segmentation discipline. Would a single compromised credential allow lateral movement to clinical or financial systems, or does network segmentation limit blast radius?
• Incident scope assumptions. When an intrusion is detected and remediated, does the response process include a review for evidence of additional access paths or concurrent activity?

The Novo Nordisk case does not establish that refusing to pay ransoms is universally advisable in all situations — that determination depends on the nature of the data, the operational impact, and legal counsel. What it does show is that paying one demand would not have resolved the second, and that organizations facing extortion may be negotiating with only part of the threat they actually face.