Taunted with the promise of a day off after incredible sacrifice
In Newfoundland and Labrador, thousands of healthcare workers who had endured months of mandatory overtime and denied vacation requests received an email promising a paid day off — only to discover it was a cybersecurity phishing simulation. The incident, which prompted at least one resignation, lays bare a deeper tension in institutional life: the tools we build to protect systems can, when wielded without wisdom, wound the very people those systems depend upon. Trust, once spent as bait, is not easily replenished.
- Healthcare workers already hollowed out by mandatory overtime and blocked vacation requests felt a rare moment of relief when an email arrived promising a paid day off — a relief that was entirely manufactured.
- When the deception was revealed, the reaction was not merely frustration but something closer to betrayal — at least one worker quit, naming the phishing test as the final, unbearable straw.
- Union leaders across multiple organizations condemned the exercise as cruel and disrespectful, demanding accountability and a fundamental rethinking of how cybersecurity drills are conducted in high-burnout environments.
- The health board's interim CEO apologized and launched an internal review, but union leaders argued the apology failed to reckon with the depth of the harm — that the employer had knowingly exploited workers' desperation.
- The episode now sits at the intersection of two legitimate crises: a healthcare workforce on the edge of collapse, and a system that genuinely needs its staff to recognize phishing threats — with no easy resolution in sight.
On a Tuesday morning, thousands of healthcare workers across Newfoundland and Labrador opened an email with a subject line that read simply: "June Holiday." It thanked them for their sacrifice, acknowledged the grueling mandatory overtime they had endured during the rollout of a new digital platform called CorCare, and offered what had been denied to them for months — a paid day off. All they had to do was click a link.
For a workforce running on fumes, it felt like a turning point. Burnout had become the system's baseline. Vacation requests had been refused. The CorCare implementation had piled new demands onto people who had nothing left to give. The email, for a moment, felt like recognition.
The next morning, they learned it was a trap. The message had originated from an outside domain, a detail easy to miss in a moment of relief. It was a phishing simulation — a cybersecurity test. The link led nowhere. The day off did not exist. Those who had clicked were flagged as vulnerabilities.
The fallout was immediate. Jerry Earle of the Newfoundland and Labrador Association of Public and Private Employees called it a "cruel hoax" and confirmed that at least one worker had resigned, citing the test as the breaking point after months of burnout. Registered Nurses' Union president Yvette Coffey called the exercise "very insensitive and very disrespectful," while CUPE's Sherry Hillier was more direct: the employer had known exactly how desperate its workers were, and had chosen to exploit that desperation anyway.
The health board's interim CEO, Ron Johnson, apologized and announced an internal investigation, conceding the test had "really missed a mark." Union leaders accepted the apology but insisted it did not reach the full depth of the harm done.
The province was not wrong to take cybersecurity seriously — a 2021 ransomware attack had paralyzed its health systems for months, and phishing remains a genuine threat. But the choice of bait revealed a profound failure of judgment: the test did not merely probe for technical vulnerability. It turned exhaustion and hope into weapons, and aimed them at the people the system could least afford to lose.
The email arrived on a Tuesday, subject line simple and hopeful: "June Holiday." To thousands of exhausted healthcare workers in Newfoundland and Labrador, it felt like a small miracle. The message thanked them for their professionalism and sacrifice, acknowledged the grueling mandatory overtime they'd endured while implementing a new digital system called CorCare, and offered something they'd been denied for months: a paid day off. "Thank you for the care, professionalism, and commitment you continue to bring to N.L. Health Services," it read. All they had to do was click a link to claim it.
For years, the province's healthcare workforce had been running on fumes. Turnover was climbing. Burnout was becoming the default state. Resources were stretched so thin that the system felt perpetually on the verge of collapse. The CorCare rollout had only made things worse—mandatory overtime piled on top of existing exhaustion, vacation requests denied because the work couldn't stop. When this email landed in their inboxes, many staff members felt something shift. Maybe, finally, someone was acknowledging what they'd endured.
The next morning, they learned the truth. The email had come from an outside domain, remailmail.com, a detail most had missed in their moment of relief. It was a cybersecurity test. The link was a trap. Anyone who clicked it had been flagged as vulnerable to phishing attacks. There was no paid day off. There never had been.
The reaction was swift and raw. Jerry Earle, president of the Newfoundland and Labrador Association of Public and Private Employees, called it a "cruel hoax." He said at least one worker had quit over the incident, describing it as the final straw for someone already broken by burnout. "Our members deserve better than to be taunted with the promise of a day off," Earle said. Yvette Coffey, president of the Registered Nurses' Union Newfoundland and Labrador, echoed the anger, telling reporters the test was "very insensitive and very disrespectful." She noted that the stress of mandatory overtime combined with denied vacation had already driven people to leave during the CorCare implementation. This email, she said, demanded accountability.
The health board's interim CEO, Ron Johnson, apologized quickly, acknowledging that the test "really missed a mark" and was "not reflective of how we value our employees." He announced an internal investigation into how the exercise had been developed and sent. But union leaders said the apology didn't capture the depth of the betrayal. Sherry Hillier, president of CUPE Newfoundland and Labrador, was blunt: "These workers are tired, burned out, and desperate for time off. As the employer, NL Health knows that and chose to exploit that feeling anyway."
The irony was not lost on anyone. Cybersecurity awareness matters in healthcare—the province had learned that lesson in 2021 when a ransomware attack had crippled systems for months. Phishing tests are a legitimate tool for protecting patient data and hospital infrastructure. But the choice of bait, the timing, and the target revealed a profound disconnect between those designing the test and those living inside the crisis they were testing. The email didn't just trick people into clicking a link. It weaponized their exhaustion and their hope against them.
Citações Notáveis
Our members deserve better than to be taunted with the promise of a day off after the incredible amount of work and sacrifice they made to get CorCare up and running.— Jerry Earle, president of the Newfoundland and Labrador Association of Public and Private Employees
These workers are tired, burned out, and desperate for time off. As the employer, NL Health knows that and chose to exploit that feeling anyway.— Sherry Hillier, president of CUPE Newfoundland and Labrador
A Conversa do Hearth Outra perspectiva sobre a história
Why would a hospital deliberately send a fake promise of time off to burned-out staff? That seems almost deliberately cruel.
It wasn't deliberate cruelty—it was thoughtlessness. Cybersecurity teams know phishing is a real threat. They needed to test whether staff would click suspicious links. But they didn't think about what bait would actually work on their own workforce, or what it would feel like to dangle relief in front of people who'd been denied it for months.
So the test worked too well?
Exactly. It worked because it exploited something real—the desperation for rest. That's what made it so damaging. It wasn't just a failed security test. It was a moment when the institution revealed it understood its workers' vulnerability and used it anyway.
Did anyone actually face consequences for sending it?
The CEO apologized and promised an investigation, but the unions were clear that wasn't enough. At least one person quit. You don't come back from that kind of betrayal just because someone says they're sorry.
What happens now?
The health board said they're reviewing how they design and communicate these exercises. But the real question is whether they'll actually change the culture—whether they'll stop treating cybersecurity tests as separate from the human reality of their workforce.