Thousands of healthcare workers in Newfoundland and Labrador thought they had finally been given a paid day off as a thank-you for their gruelling work on a new digital health system. The email, titled “June Holiday,” thanked them for their “professionalism and commitment” and promised a token of appreciation – a fully paid day off. It asked them to click a link to register. The message came from an outside domain, remailmail.com, but many staff, exhausted after months of mandatory overtime and denied leave, allowed themselves a moment of overdue relief.
The following day, that relief turned to disbelief and anger. NL Health Services revealed that the offer was a fiction – an internal cybersecurity test designed to track which employees clicked on the link. The “June Holiday” was a phishing simulation, intended to gauge how easily staff could be lured into clicking a malicious link. For workers who had already given hundreds of hours of unpaid overtime to implement the province’s new electronic health record system, CorCare, the trick felt like a betrayal.
The test and its toll on trust
Cybersecurity awareness is a legitimate priority for healthcare networks, which have become a frequent target for hackers. Newfoundland and Labrador knows this firsthand: in 2021, a cyberattack blamed on the Hive ransomware group used a stolen password to take certain healthcare computer systems offline for months, stealing personal health information and personal data of clients and employees. The province offered credit monitoring and identity theft protection to those affected. Phishing simulations are a common tool to train staff to spot dangerous emails, but experts warn that their effectiveness depends on trust and empathy. A poorly designed test – especially one that exploits a genuine need like time off – can do lasting damage to morale.
The CorCare rollout was already a source of extraordinary strain. Described as the largest digital project in the province’s history, the system was meant to replace outdated digital platforms with a single, integrated electronic health record. But its implementation was rushed, with physicians raising concerns about potential risks to patient care, the terms of access agreements, and the financial burden it placed on practices. Some doctors considered early retirement or closure. For nursing and support staff, the project meant mandatory overtime, denied vacation requests, and soaring workloads. Burnout was already a crisis: union leaders have noted that for every 100 nurses under 35 entering the profession in the province, 98 are leaving – a retention problem that predated this incident.
“Our members deserve better than to be taunted with the promise of a day off after the incredible amount of work and sacrifice they made to get CorCare up and running,” said Jerry Earle, president of the Newfoundland and Labrador Association of Public and Private Employees (NAPE), which represents more than 25,000 workers. He described the email as a “cruel hoax” and said at least one person had quit as a result, calling it the “straw that broke the back” for burned‑out employees. Earle also indicated that some workers were now considering accelerated retirement.
Yvette Coffey, president of the Registered Nurses’ Union Newfoundland and Labrador, which represents over 5,800 registered nurses and nurse practitioners, called the test “very insensitive and very disrespectful.” She highlighted the stress of mandatory overtime and denied holiday requests during the CorCare implementation, and demanded that someone be held accountable. Sherry Hillier, president of CUPE Newfoundland and Labrador – representing more than 6,000 workers – said targeting a benefit like paid time off was “disgusting.” In a statement she added: “These workers are tired, burned out, and desperate for time off. As the employer, NL Health knows that and chose to exploit that feeling anyway.”
Ron Johnson, interim CEO of NL Health Services, quickly apologised, acknowledging that the scenario was “in poor taste and disrespectful” and that the exercise “really missed a mark.” He said the board was taking a step back to review how such tests are developed and communicated, and insisted the incident was “not reflective of how we value our employees.” An internal investigation has been launched, with initial inquiries involving consultants from Ernst & Young, who had reportedly been involved in the cybersecurity awareness campaign.
Union leaders said the apology did little to capture the profound disappointment of the workforce. While they recognised the need for robust cybersecurity training in a healthcare setting, they argued that the simulation had exploited the very real exhaustion and desperation of staff. The episode has further eroded the already fragile trust between the health authority and its employees, many of whom feel their sacrifices on the CorCare project were met not with gratitude, but with a calculated trick.
