Imagine spending months working mandatory overtime, battling a glitchy new electronic health records system, and watching your hard-earned vacation requests get repeatedly denied. Then, an email drops into your inbox from your employer. The subject line reads "June Holiday" and thanks you for your incredible sacrifice, offering a fully paid day off as a token of appreciation. You feel a wave of relief. You register for the day off, only for a red message to pop up informing you that you just failed a corporate cybersecurity test.
This exact scenario just played out for thousands of staff members at Newfoundland and Labrador Health Services (NLHS) in Canada. The health authority sent out a simulated phishing attack that promised exhausted nurses, support staff, and doctors a much-needed break, all to see who would click a malicious link.
The backlash was instant, fierce, and entirely justified. Union leaders called the move a cruel hoax, insulting, and a massive lapse in judgment. While cybersecurity training is critical in modern medicine, using basic human exhaustion as bait crosses a clear ethical boundary.
The Cruel Hook of the June Holiday Simulation
The fake email targeted a workforce that was already at its breaking point. For months, healthcare workers across Newfoundland and Labrador have been dealing with the messy rollout of CorCare, a new province-wide digital health information system. Implementing any major tech upgrade in a hospital setting is brutal. It means extra shifts, endless troubleshooting, and a massive spike in daily workloads.
Staff thought the health authority was finally acknowledging that sacrifice. The email explicitly stated the paid day off was a reward for working through a significant period of change. It gave employees until June 17 to click the link and register.
Instead of a reward, workers were met with a corporate trap. Those who fell for it didn't just get a "fail" mark on their training profile; they felt publicly humiliated and deeply disrespected by their own leadership. One worker shared that they literally teared up with relief when reading the initial offer, only to feel completely foolish seconds later.
Why Baiting Exhausted Workers Backfires Intensely
Security professionals often argue that hackers don't care about your feelings. Real-world scammers love to exploit high-stress situations, urgency, and desires for financial relief or time off. Because cybercriminals use these exact tactics, internal IT departments think they need to mirror that exact cruelty to make their simulations realistic.
That logic is incredibly flawed. A workplace is built on a foundation of professional trust. When an external hacker scams an employee, the employee feels targeted by a criminal. When the employer scams the employee using their own desperation for rest as bait, the worker feels targeted by their boss.
Dr. David Metcalfe, president of the Newfoundland and Labrador Medical Association, pointed out that the test has left many feeling demoralized at a time when workforce morale is already incredibly fragile. It reinforces a growing perception among front-line staff that executives don't take their struggles seriously. If management can mock the need for time off in a training exercise, it implies they view that need as a joke.
The timing could not have been worse. Organizations like the Registered Nurses Union Newfoundland and Labrador have been sounding the alarm on severe nurse shortages, burnout, and mandatory overtime for years. Using a fake day off to trick people who are legally barred from walking away from their shifts isn't just bad security testing. It is horrific human resource management.
The Technical and Administrative Blame Game
Following the public outcry, NLHS executives shifted quickly into damage control. Interim CEO Ron Johnson publicly apologized, admitting that the scenario heavily missed the mark. The health authority launched an internal investigation to figure out how this specific email got approved in the first place.
The investigation is reportedly looking into whether the test was designed internally by the health authority's digital services team or if it was handled by external consultants from Ernst & Young.
External cybersecurity vendors frequently use pre-made templates for phishing simulations. Many of these templates include generic offers for free gift cards, bonuses, or extra vacation days. If an automated system or an outside contractor deployed the campaign without understanding the local context of the CorCare rollout, it shows a dangerous lack of oversight.
But pointing fingers at an outside consulting firm doesn't absolve the health authority. Someone inside the organization's leadership pipeline had to sign off on the campaign or at least hand over the keys to the communication network.
The Financial and Operational Toll of Toxic Security Culture
When employees feel tricked by their employers, the organization pays a massive price that goes far beyond a bad public relations cycle. A toxic approach to security training actually damages an organization's overall defense system.
If workers feel that IT tests are unfair traps designed to make them look stupid, they stop cooperating. Instead of actively reporting real suspicious emails, employees become resentful. Some workers in Newfoundland have reportedly started discussing early retirement or quitting altogether because of the emotional toll of this specific incident. In a province already desperate for medical personnel, losing even a single nurse over a poorly managed email campaign is a catastrophic failure.
Good cybersecurity relies on a culture where people feel safe reporting mistakes. If someone clicks a real malicious link, you want them to immediately flag it to the IT help desk so the threat can be contained. If your security culture relies on humiliation and emotional manipulation, employees will hide their mistakes out of fear of retaliation or embarrassment. That silence gives real hackers all the time they need to compromise a network.
How Organizations Can Run Better Security Training
You can build a highly resilient workforce without relying on cruel psychological tricks. If you are responsible for managing internal phishing simulations, you need to establish strict boundaries.
First, never use core employee benefits as bait. Paid time off, health insurance updates, bonus structures, and salary adjustments should be completely off-limits for simulated attacks. When you use these topics, you permanently damage the credibility of your official corporate communications. Employees will start ignoring legitimate emails about their benefits because they assume it is another trick.
Second, align your testing with current workplace realities. If a specific department is going through a massive, high-stress transition like the CorCare system implementation, pause the testing for those workers. They are already cognitively overloaded. Flooding them with confusing emails doesn't teach them awareness; it just adds to their exhaustion.
Third, focus on positive reinforcement rather than public failure. Celebrate the teams that successfully identify and report simulated threats. Treat security as a team sport where employees are the front-line defenders, not the targets.
The situation at Newfoundland and Labrador Health Services should serve as a massive warning label for corporate IT departments everywhere. Realism in training matters, but it should never come at the expense of human decency.
If you manage teams or oversee corporate training pipelines, sit down with your IT security providers today. Review every single active phishing template in your queue. Strip out any scenarios that exploit employee hardships, family leave, or mental health resources before your organization sends an email it will regret.
