Healthcare staff in Newfoundland and Labrador were tricked into believing they had been granted a paid day off – only to discover the message was a cybersecurity test designed to track which employees clicked a link.
The email, titled “June Holiday”, landed in thousands of inboxes belonging to workers at NL Health Services. It thanked recipients for their “professionalism” and “work ethic”, cited the hundreds of hours of mandatory overtime many had clocked up while implementing a new digital platform called CorCare, and promised a paid day off as a token of appreciation. “Thank you for the care, professionalism, and commitment you continue to bring to N.L. Health Services and to the people and community we serve,” the message read. Staff were told simply to click a link to register for the holiday. The email came from an external domain: remailmail.com.
The following day, the illusion shattered. Workers were informed that the offer was not real – it was an internal phishing simulation, intended to monitor who followed the link and to test the system’s vulnerability to malicious emails.
Reaction among already exhausted staff was immediate and angry. Union leaders described the exercise as a “cruel hoax”. Jerry Earle, president of the Newfoundland and Labrador Association of Public and Private Employees (NAPE), which represents more than 25,000 public sector workers, said he and his members were “disgusted”. He added that at least one employee had resigned after receiving the email, calling the deception “the straw that broke the back” of burned-out colleagues. Yvette Coffey, president of the Registered Nurses’ Union Newfoundland and Labrador (RNUNL), which represents over 5,800 registered nurses and nurse practitioners, said the test was “very insensitive and very disrespectful to our members” and demanded that someone “be held accountable for this one”.
The email landed during one of the most stressful periods in the province’s healthcare history. CorCare, described as the largest health-system evolution ever launched in Newfoundland and Labrador, replaced multiple outdated electronic records with a single province-wide system. The go-live date was 25 April 2026, and training for more than 20,000 staff had begun in February. The rollout involved deploying approximately 14,000 devices and is expected to cost $600 million over the next decade. But the transition came at a heavy human cost. Staff worked hundreds of hours of mandatory overtime. Nurses were mandated to stay on shift with only a few hours of rest, raising safety concerns for both workers and patients. Many had their vacation requests denied during the implementation. Burnout soared, and some employees quit – not because of the system itself, but because of the relentless pressure and lack of support. In that context, the promise of a single paid day off carried immense emotional weight. To have it revealed as a test was, in the words of Sherry Hillier, president of CUPE Newfoundland and Labrador (which represents over 6,000 workers, including in healthcare), “disgusting”. She accused the employer of exploiting workers’ desperation for time off.
Apology and investigation
Officials at NL Health Services quickly apologised. Ron Johnson, the health board’s interim CEO – who previously served as vice-president of digital health and chief information officer, and who led the CorCare implementation – acknowledged that the exercise “really missed a mark” and was “not reflective of how we value our employees”. In a written statement, he said: “We are taking a step back to review how these exercises are developed and communicated to ensure they reflect the respectful and supportive culture we strive to foster.” An internal investigation has been launched, and there are suggestions the email may have been drafted by an outside contractor such as Ernst & Young.
The apology did little to quell the anger. Union leaders described it as falling well short of capturing the profound disappointment staff felt. Hillier said: “While I understand that cybersecurity awareness is important, especially in a healthcare setting, targeting a benefit like paid time off is disgusting. These workers are tired, burned out, and desperate for time off. As the employer, NL Health knows that and chose to exploit that feeling anyway.”
The cybersecurity test took place against a real and serious threat. Hospitals and healthcare networks across Canada are frequent targets for hackers, who can freeze entire systems in pursuit of ransoms. Newfoundland and Labrador has particular reason to be vigilant: in October 2021, a major ransomware attack – the Hive variant – took the province’s healthcare computer systems offline for months, stealing personal and health information from thousands of people and potentially affecting the “vast majority” of the population. A subsequent report by the provincial information and privacy commissioner concluded the attack was “almost an inevitability” because officials had been aware of security weaknesses but had failed to address them. Phishing simulations are a standard tool in defending against such threats, but experts argue they must be designed to build confidence, not resentment. One human resources expert noted that the fierce reaction to this test reveals a deep divide between NL Health Services and its workforce: if employees felt genuinely valued, their response would have been very different.
For now, the trust between the health authority and its exhausted staff has been further eroded. Yvette Coffey has made clear that an apology alone is not enough, and that those responsible for authorising the “cruel hoax” should face consequences. Jerry Earle echoed the call for accountability, insisting his members “deserve better than to be taunted with the promise of a day off after the incredible amount of work and sacrifice they made to get CorCare up and running”.
