Phishing awareness test promised workers extra paid day off — only to reveal it was cybersecurity exercise
"To use the promise of an additional paid day off as the hook for a phishing exercise was in very poor taste," said Yvette Coffey, president of the Registered Nurses' Union Newfoundland and Labrador (RNU).
Health-care unions in Newfoundland and Labrador are calling out the province's health authority after it sent employees a phishing test email falsely promising a paid day off in recognition of their work.
The email — titled "June Holiday" — was sent to NL Health Services staff on June 16, 2026, according to the Newfoundland and Labrador Association of Public and Private Employees (NAPE). It told employees that in recognition of their contributions during the CorCare transition, all employees would receive one additional paid day off and invited them to register by clicking an embedded link.
The email concluded, "Thank you for the care, professionalism, and commitment you continue to bring to N.L. Health Services and to the people and community we serve," according to CBC.
The message was not a genuine offer. It was designed to track whether employees would click the link as part of an internal cybersecurity awareness exercise.
Phishing exercise criticized by union
NL Health Services vice president of digital health and interim chief information officer Steve Lockyer apologized in an email sent Wednesday, according to CBC: "We are taking a step back to review how these exercises are developed and communicated to ensure they reflect the respectful and supportive culture we strive to foster.”
The apology has not satisfied union leaders.
"I am absolutely disgusted that NL Health Services would do this to our hard-working health-care staff," said NAPE president Jerry Earle in a release.
"Our members deserve better than to be taunted with the promise of a day off after the incredible amount of work and sacrifice they made to get CorCare up and running. Many members were denied vacation, worked countless extra hours, and spent time away from their families and loved ones during the CorCare launch. To use those sacrifices as the basis for a phishing test is nothing short of cruel."
Earle said NAPE became aware of the email late Tuesday after members began contacting the union to verify whether the message was legitimate. It was then confirmed that the email originated from NL Health Services as part of an internal cybersecurity exercise.
"Everyone understands the importance of cybersecurity; however, there are appropriate ways to conduct these exercises, and this was not one of them. Exploiting the hard work and the goodwill of healthcare workers to test cybersecurity awareness crossed a major line," he said.
Controversy with CorCare rollout
CorCare — expected to cost $600 million over a decade — was implemented by the health authority on April 25, according to the CBC. It was designed to give health-care professionals and patients a single shared digital health record and to support safer, more continuous care across hospitals, clinics and community services, according to CBC.
The rollout was not without controversy: some doctors said a mandatory sign-on requirement was unfair, and the health authority ultimately made it voluntary. The contract was also changed so that community physicians would not have to assume legal and financial liability for privacy breaches, according to the media outlet.
"Members and other health-care professionals have every right to be perplexed and more than a little miffed," said Coffey. "They deserve genuine recognition for the work they are doing, not a fake promise of appreciation used as a test."
