Lots of healthy disagreements here. That's good for discussion. I'm open to other viewpoints, and to changing my own.
What would you do if someone was logged into the computer under their user id.
and while surfing the net accidentally clicks on a nsfw popup.
someone else sees it. and reports it.
just like in this case.
the user has no intentions at all of sharing any of this material yet was reported by some trigger happy colleague
That's unlikely to happen at my institution as we have a very robust filter. Clicking on any site with questionable content yields a blocked message. Some would argue that it's sometimes too restrictive.
But, let's assume for discussion that there's no block, and it's possible to open any link. Let's say someone does this by accident and it gets reported. What happens? Assuming that the story is as described (clicked on link in an email that looked legit (for example), someone sees and reports), I'd do nothing other than review the danger of clicking on emailed links (for viruses and other issues). This would not be a professionalism issue. But I think what the OP did is a much bigger issue.
I do disagree with your comment that this was reported by a trigger happy colleague. NSFW material does not belong at work. Perhaps the material was particularly offensive to the person who saw it. Perhaps they have something in their background which made this material particularly hurtful to them. Nevertheless, employees have the right to come to work and not be exposed to this type of material. Perhaps it's no big deal to you -- that's fine, that's your opinion. But other opinions matter also.
I disagree. Are you familiar with how the intarwebz work?
Actually, yes. On the side I create web based solutions to problems I see in my program. I run a LAMP stack in AWS. I use MySQL on the back end, ColdFusion (actually Lucee since I like open source / free) as middleware, and then jQuery on the client end. It's been awhile since I learned Unix, but it's come in handy with my Linux server. I've also set up my own DICOM server to manage my program's POCUS images including all of the IP configurations and ports including SSL tunnels to get the machine to communicate with the server. So, yes, I'd say I know how the intarwebz work. Now on to the rest of your question.
He didn't essentially bring NSFW items to work. Simply logging into a Google account doesn't transfer the contents of one's Google Drive onto the local computer. That doesn't happen until someone actually clicks on a link to one of the files. The OP did not place NSFW materials onto a hospital computer, nor transmit them across the hospital network.
That's why saqrfaraj's analogy isn't quite apt. There's tons of NSFW content on the internet. The NSFW content that was made available by the OP's Google account is a drop in the bucket compared to the number of other NSFW links anyone could have clicked on. The issue here is that it sounds like the hospital network is one of these systems that uses a generic Windows login account. If everyone had to use his own Windows account, the OP's login would have timed out, whoever else used the computer later would have had to login to Windows as themselves, and wouldn't have been able to access his Google account.
The OP was certainly foolish to forget to log out of his Google account, and to leave the box that says "Remember me" or whatever checked when logging in, especially when he knows he has NSFW files in his Google Drive. But he should get at most a slap on the wrist for this.
OP, as to whether IT be able to see what was on your Google drive when it was pulled up on the work computer, that depends on whether they capture all network traffic and how long the keep it around for. I have heard that some IT departments capture all traffic, but given the massive amount of data storage needs that would create, there's no way they keep it around forever. The problem is that in order to take disciplinary action against you, they don't have to meet the evidentiary standards of a criminal trial (i.e., the prosecution having to prove "beyond a reasonable doubt" that you did it.) They probably can't, but since it's a private, internal matter, they can be a lot more lax with what they base their decision on.
So, I agree in part, and disagree in part.
Yes, the OP didn't transfer material onto the hospital network. Had they actually done so (i.e. sent inappropriate material via their work email account, for example), then my response would be different -- they would be fired for that. But they didn't do "nothing" either. They created a situation where someone else, either by mistake or perhaps on purpose (more below), was able to access their drive content which was NSFW.
My example above explains the way I see this. If someone likes looking at NSFW images in the privacy of their own home, that's fine with me. But let's say someone brings some images with them to work. They are in a folder, in their computer bag. They brought them because they were going to do something with them after work. They forgot them in their bag -- they meant to leave them in their car or locker. No big deal, they are in a folder, in their bag, no one should see them. But someone gets confused and thinks the bag is theirs. They open it, see the folder, and think "Huh, what's that?". They open it and see the material. I see the person who brought that material to work responsible for this situation. Sure, they didn't mean for anyone to see the material (and that's important and a mitigating factor). But nevertheless, they are responsible for this problem they have created.
I see the OP's situation as very similar. They "brought the material to work" by opening their google drive on a work computer. They left it open by mistake. Someone else saw it. I doubt any robust hospital has computers where people use a generic login -- I expect (and I think the OP described) that they logged into their windows account on a public computer, and then forgot to log out. That also raises another problem -- our EMR uses your Windows credentials to log you in directly. If their system is similar, then leaving a computer open with your login basically allows anyone to access the EMR in your name -- and as mentioned above, if that happened, the OP would be fully responsible for any HIPAA issues, etc.
Part of the issue here is that we all have our online storage of life stuff, which we are accessing all the time. It's super handy, and it's unreasonable to tell people don't access your personal google drive while at work. But I think we all need to be aware that if there is stuff in your drive that you don't want other people seeing (whether it's NSFW, or your taxes), then you should either secure it somehow (not sure if you can lock drive folders with a password), or have a separate drive for stuff you might need at work, etc.
Now, as to the person who actually poked around in the OP's google drive. I agree that there may be a professionalism issue here too. Not in reporting the NSFW material, but in actually poking around. In my example above, the person thought the bag was theirs, opened it, and found the material. Completely a mistake, just like clicking on an NSFW link. But if someone saw a google drive left open, and says "gee, let's see what's in here", that's like searching around in someone's house because they left it unlocked. That's not OK. But it all depends upon the details. And if it's reported anonymously, there's no way to hunt it down.
So:
If someone truly mistakenly clicks on an NSFW link and it's reported, I'd talk to the person about it, but nothing more would come of it.
If someone causes NSFW material to be displayed to others mistakenly, but it's because they somehow brought the material to work / created a situation where others were exposed to it, then we'd remediate it.
If someone knowingly brings NSFW material to work, on purpose, to share / use / distribute, then they get fired.
I'm interested to hear the whole story before determining what happens next, there could be mitigating factors that might change the outcome.
I think that trying to assess the "severity" of the material is difficult. There's no scale, and no one will agree. Institutions should have a clear policy on materials that should not be at work. But it's certain to happen anyway, because there is a grey area / slippery slope. Hence why any complaint should be investigated. Not everything that someone finds offensive is a serious professionalism issue.
Come to work in a MAGA / I'm with Her hat, someone complains. Perhaps a violation of dress code. Result: informal discussion about how you're free to have your own political beliefs, but perhaps not good to advertise them at work. If violation of dress code, point that out.
Come to work in T shirt with an image of HRC and DJT shooting each other with the caption "I'm gonna get you sucka!". Result: Formal meeting with resident and documentation of issue in file. Clear message that this is unacceptable dress at work. Perhaps more remediation depending on whether investigation / review determines that this is a one time event, vs the worst of a history of lower level issues.
Come to work in a T Shirt with an image of DJT doing something unspeakable to HRC with the caption "Take this B****". Your employment comes to an end. Have a nice day.
There's going to be issues that fit between these, or things that people disagree upon. That's fine. That's why we make these decisions as a group, sometimes including HR. And how the resident responds to the event in the short term would definitely play a role in my assessment of the situation.