UnitedHealth Group has officially disclosed that 100 million people were affected by the massive cyberattack on Change Healthcare earlier this year.
CEO Andrew Witty told legislators in a May hearing that, while the company was finalizing its data analysis, he could estimate that about a third of Americans were impacted by the data breach.
Change's systems were breached in February by actors associated with the BlackCat or ALPHV ransomware gang using stolen credentials on a server that did not have two-factor authentication enabled. The hackers then exfiltrated a slew of data before deploying the ransomware.
UnitedHealth filed the breach notification in July, though final figures on the number of people impacted are just now being released.
The Department of Health and Human Services Office for Civil Rights said in an update that UnitedHealth informed the agency on Oct. 22 that it had sent out 100 million breach notifications following the attack.
Given the sheer number of people affected, the breach is one of the largest in history. The company began the notification process in June, reaching out to organizations that may have impacted customers or patients.
The cyberattack has also had a significant financial cost for UnitedHealth, with total costs associated with the attack projected to be about $2.45 billion as of the third quarter.