Inotiv Confirms Data Breach Exposing Sensitive Employee Information

Inotiv, a U.S.-based pharmaceutical firm, reported that an August data breach exposed sensitive personal data of past and present employees and their families.

 

Headquartered in West Lafayette, Indiana, Inotiv, Inc. is a contract research organisation that supports pharmaceutical, biotech, and medical device companies with nonclinical and analytical services, as well as research products. Its offerings span drug discovery through preclinical development, delivered through two segments: Discovery and Safety Assessment (DSA) and Research Models and Services.

 

In a data security incident notice filed with the Office of Maine Attorney General, Inotiv said that on  August 8, it identified unauthorised activity within its internal network. The pharmaceutical company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

It also took steps to secure the affected systems and notified relevant law enforcement authorities about the incident.

 

“Our investigation determined that between approximately August 5-8, 2025, a threat actor gained unauthorised access to Inotiv’s systems and may have acquired certain data.

 

“We determined on November 21, 2025 that certain data that may have been acquired by the threat actor during this incident included personal information,” Inotiv said.

 

The compromised data included names and other personal identifiers along with Social Security numbers of current and former employees and their family members. The filing with the Maine state regulator’s office also states that Inotiv has identified at least 9,542 individuals affected by the incident.

 

While Inotiv found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered two years of complimentary identity protection and credit monitoring services through Experian to all affected individuals.

 

 

 

 

The Qilin ransomware group claimed responsibility for the cyberattack on Inotiv, listing the company as a victim on its data leak site. The group said it is in possession of more than 162,000 files totaling 176 GB and shared samples of the stolen data to prove its authenticity.