Healthcare staff in the Canadian province of Newfoundland and Labrador have expressed outrage after a cybersecurity test sent a phishing email promising a paid day off, which unions are calling a 'cruel hoax' that exploited exhausted workers.
Phishing Email Masquerades as Reward for Overtime
The email, titled 'June Holiday,' was sent to thousands of healthcare workers across the province. It thanked them for their professionalism and work ethic, specifically citing hundreds of hours of mandatory overtime during the rollout of a new digital platform called CorCare. The message stated that the province 'recognizes the work employees have carried through a significant period of change' and promised a paid day off as a token of appreciation.
Recipients were instructed to click a link to register for the 'June Holiday.' The email came from an external domain, remailmail.com, which should have raised suspicion, but many staff, desperate for time off, clicked without hesitation.
Staff Reactions: From Joy to Anger
The following day, employees were informed that the message was part of an internal cybersecurity test designed to track who clicked on the link. The revelation led to widespread disbelief and anger, particularly among those who had been denied time off during the CorCare implementation.
Jerry Earle, president of the Newfoundland and Labrador Association of Public and Private Employees (NAPE), stated that he and others were 'disgusted' by the 'cruel hoax.' He said, 'Our members deserve better than to be taunted with the promise of a day off after the incredible amount of work and sacrifice they made to get CorCare up and running.' Earle also reported that at least one employee resigned after the email, calling it 'the straw that broke the back' for burned-out staff.
Union Leaders Condemn Insensitivity
Yvette Coffey, president of the Registered Nurses' Union Newfoundland and Labrador, echoed these frustrations. She told CBC News that the stress from mandatory overtime and denied vacation requests had already led to resignations during the CorCare rollout. She called the test 'very insensitive and very disrespectful to our members' and demanded accountability.
Sherry Hillier, president of CUPE Newfoundland and Labrador, added, 'While I understand that cybersecurity awareness is important, especially in a healthcare setting, targeting a benefit like paid time off is disgusting. These workers are tired, burned out, and desperate for time off. As the employer, NL Health knows that and chose to exploit that feeling anyway.'
Context of Cybersecurity Threats
Hospitals and healthcare networks across Canada have increasingly become targets for hackers, who can paralyze systems with ransomware. Newfoundland and Labrador has particular reason to be vigilant: in 2021, a cyber-attack took certain healthcare computer systems offline for months. Phishing tests, which simulate malicious emails to train staff, are common, but this one was deemed poorly timed and executed.
Official Apology and Investigation
Officials quickly apologized for the email and announced an internal investigation. Ron Johnson, interim CEO of the health board, wrote, 'We are taking a step back to review how these exercises are developed and communicated to ensure they reflect the respectful and supportive culture we strive to foster.' He later told reporters that the test 'really missed a mark' and was 'not reflective of how we value our employees.'
Despite the apology, union leaders feel it does not capture the profound disappointment. The incident highlights the deep strain on healthcare workers, who continue to face burnout and understaffing amid ongoing challenges.
