Firing blamed on bug: Wrongful-termination lawsuit by St. Francis employee says software installed porn links

Respiratory therapist David Farr claims he lost his job with St. Francis Hospital and Health Centers last year over an infection that never harmed a patient.

Hundreds of pornography links found in a computer Farr shared with six other therapists prompted the hospital to fire him. However, Farr said he never knew the links existed, according to a lawsuit he filed in federal court over his dismissal.

The therapist blames poor computer security for allowing malicious porn-promoting software from Russia to infect

the terminal. His password just happened to be in use when it occurred, the lawsuit states.

St. Francis officials call Farr’s accusations “entirely baseless” and the lawsuit, filed last month, is far from decided. But the case draws attention to the oftencloudy world of employers, computers and the employees who use them.

Employee Internet use is a hot topic among many employers, who worry about lost productivity and offensive behavior fostered by Web surfing, said Susan Kline, an employment lawyer with Indianapolis firm Baker & Daniels.

“It’s a little challenging to stay ahead of the game because technology is moving so fast,” she said.

Indiana employers would be “entirely within their rights” to dismiss an employee caught with stashes of Internet porn on his or her computer, Kline said.

However, the issue often isn’t that black and white, according to several computer experts who say it can be difficult to determine whether the employee was the one who stockpiled the porn.

Farr’s lawsuit claims he had nothing to do with it.

St. Francis fired him last August after a supervisor at the Beech Grove hospital told Farr someone using his password had stored pornography links in an Internet “favorites” file on the shared computer.

Farr never looked at that file, according to his lawsuit. St. Francis eventually gave him a list of shortcuts they found that link to hundreds of Web sites offering porn for a fee.

“The materials provided by St. Francis give no evidence that anyone actually accessed any of these Web sites,” according to Farr’s complaint, which also says no one “intentionally loaded” the list onto the computer.

It blames the Russian software, also known as malware, and claims the computer was defenseless to viruses and other intrusions.

“This lack of protective software also exposed the patient information on the computer to unauthorized third parties,” the complaint states, although it doesn’t provide examples of that.

Farr referred an interview request to his Bloomington lawyer, Thomas Berry, who declined to comment.

St. Francis officials said in an e-mailed response to questions that the hospital network employs a “complete anti-virus strategy” that protects patient information and ensures security. The hospital network’s information professionals also are well versed in security technology, investigation and computer forensics.

However, several computer experts not involved in this case said Farr’s explanation is entirely plausible.

“Having the favorites folder populated with a large amount of porn links is almost a classic symptom of adware and spyware infection,” said Mary Landesman, the computer anti-virus expert for About.com.

Both often are unintentionally imported into computers. Adware pops up unsolicited ads and can redirect a Web surfer to different sites. Spyware monitors computer usage. And both can add Web sites to a user’s favorites file, said Auri Rahimzadeh, an Indianapolis technology consultant who has written three books on hacking.

Pop-up ads and user agreements a Web surfer doesn’t fully read before clicking the “Yes” button often spread spyware and adware.

Landesman said these programs started surfacing about three years ago and have “grown exponentially” since then. “It’s a tremendous problem,” she said. Hackers have many ways and reasons to sneak into someone’s computer system, especially if it’s not well protected, said Eugene H. Spafford, a Purdue University computer science professor.

For instance, child pornography collectors sometimes store their stash in a computer system they’ve violated. That way, their computer is safe if searched by police.

Spafford, who emphasized that he knows nothing about the St. Francis case, called Farr’s claim “within the realm of reason.” He said Russia generates a lot of Internet crime and has either very weak or non-existent laws prohibiting malware.

He also said it can be difficult to link material directly to a computer user, even if that person has to log on using a password.

“There are so many other ways to introduce something into a system that the mere presence is not sufficient to draw a conclusion, and employers should recognize that,” he said.

However, blaming a virus or some sort of computer infection also can be a convenient cover for an employee who did, in fact, do something wrong.

“That has been done in several cases, where someone claimed a Trojan horse or someone breaking into a system planted things,” he said.

Internet use has been a growing concern among employers since it became commonplace at work over the past decade or so, Kline said. In many cases, companies are still sorting out how to handle it.

The lawyer said employers need a well-communicated policy that puts workers on notice about computer-use restrictions.

“Anything done with the company computer could be viewed by management,” she noted.

Employers also need excellent computer security to ward off the more than 130,000 computer viruses that exist, according to Spafford.

Most medium and large businesses have decent antivirus protection, but they might be lacking when it comes to restricting network access or guarding against other forms of malicious software like spyware, Rahimzadeh said.

Landesman agreed, saying adware and spyware now present more of a problem for the average consumer than viruses.

She said the best forms of protection also involve the user, who can avoid triggering an infection by ignoring pop-up ads that may materialize while surfing.

“People have to become engaged in their own security,” she said.