It is understood the incident happened last month and is said to have 'disrupted' over 20 systems across Sandwell and West Birmingham Hospitals NHS Trust, which runs Birmingham's City Hospital, Rowley Regis Hospital and Sandwell General Hospital.
Richard Beeken, the trust's chief executive, says some eye patients were affected, with some operations and procedures being postponed 'on assessment of clinical risk'.
In a report to the trust's board of directors, which calls it a 'major IT incident', Mr Beeken says: "Scanning continues and we are working to recover all historic images and patient contact details."
He says no patient data has been exfiltrated and the Information Commissioner is aware, saying the data loss incident was caused by a ‘recommended update’ and there was no evidence to suggest it was a cyber attack.
Mr Beeken says the response was ‘well managed and professional’, and a review is now under way.
In the report, Mr Beeken says: “December saw us witness a major IT incident which disrupted over 20 systems across the trust.
“While an independent external review of the cause and recovery of the systems impacted is underway the incident was caused by a recommended update and security patch to an operating system issued by an international software provider who subsequently advised to uninstall the patch through reported known issues.
“On attempting to remove the patch there was system and data loss.
“The in house-IT team and their suppliers have worked to recover and restore the majority of systems engaging with a specialist data recovery company.
“At the time of writing the recovery of the full data set for the Birmingham Midland Eye Centre (BMEC) patients is still under way.”
“No patient data has been exfiltrated and the Information Commissioner is aware.
“There is no evidential behaviour that leads us to believe this incident was caused by a cyber attack.
“This was also not caused by any individual clinical systems or suppliers, and the response from our suppliers and the Informatics team, to this unprecedented event, has been well managed and professional.
“At executive level we have and continue to, manage this as a business continuity incident through our already established tactical and strategic command arrangements.”
He says during the incident the ophthalmologists ‘engaged their business continuity plans’ and continued to see and treat the majority of patients.
However, some operations and procedures were postponed on assessment of clinical risk.
He adds: “The executive team has agreed to secure the services of the IT team from a local NHS trust to review the reasons for the incident and to test the strength of our technical response.
“The conclusions will be reported to the audit committee and the terms of reference have been shared with non-executive directors.”
The report is due to be discussed by the board of directors at the trust, which runs Birmingham’s City Hospital, Rowley Regis Hospital and Sandwell General Hospital, during a virtual meeting on Wednesday.