On Feb. 21, Change Healthcare was the target of what has been called the “most significant and consequential cyberattack on the U.S health care system in American history.” That’s because, in recent decades, Change has become central to the functioning of the $4.5 trillion health care system—routing critical information and payments between physicians, hospitals, pharmacies, laboratories, and countless other entities. Change, which was acquired in 2022 by UnitedHealth Group—one of the five biggest companies in America—touches between a third and half of the nation’s medical claims, and adjudicates a staggering $1.5 trillion of them.

When the hack forced Change’s systems offline, “the actual commerce of the health industry just stopped,” says Boe Hartman, a health care payments executive. Pharmacies couldn’t fill prescriptions; doctors couldn’t access vital records; medical practices had to resort to faxes and snail mail to get reimbursed. One practitioner told me about having to fly back and forth between his Florida and New York clinics carrying bags of cash, just to meet payroll.

More than two months later, most of the systems are back online. But medical providers are still feeling the pain, and the consequences for patients whose data may have been exposed are only beginning to come into focus. On Monday, UnitedHealth released preliminary findings from its investigation of the breach. All it could say at this point, really, was that it was big—impacting the health information of “a substantial proportion of people in America.” (Last year, UnitedHealth boasted it touched the claims and clinical data of 285 million lives, which amounts to about 86% of the U.S. population.)

While millions of people wait for clearer answers, with this story we’ve started sketching out the extent of this massive, incredibly disruptive cyberattack, and the mess it’s left for doctors and patients alike.