CybersecuritySocial Engineering

Healthcare Organization Backpedals on Phishing Test Targeting Staff Burnout

Analyst 207||Source: TheRegister
Healthcare worker sits at desk, looking concerned, with computer screen displaying email inbox.

"We acknowledge the approach taken in this particular exercise was not appropriate, and we sincerely apologize to employees, physicians, and union representatives," said Ron Johnson, interim CEO at NL Health Services.

The CorCare-linked phishing email and how it worked

Newfoundland and Labrador Health Services (NL Health Services) sent a phishing-awareness test to employees and physicians that used a tempting offer as its lure: an additional paid day off. The email referenced the recent CorCare software launch, thanked staff for their work on that rollout, and included a button labelled to redeem an additional paid vacation day. Recipients who clicked the button were marked as having failed the exercise.

NL Health Services' apology and promised review

NL Health Services acknowledged the test's theme was inappropriate and issued an apology through interim CEO Ron Johnson. At a press conference Johnson said the exercise "missed a mark," and promised to investigate how the scenario was approved and sent. "What happened here, obviously, is that all the lenses that were required to review the scenario weren't placed on it," he said, adding the exercise "is not reflective of how we value our employees." The organization said it will review how future awareness exercises are developed and communicated so they "reflect employee and physician perspectives, as well as our organizational values, to foster a respectful and supportive workplace culture."

Registered Nurses Union reaction and staffing context

The Registered Nurses Union (RNU) in Newfoundland and Labrador described the test as especially insensitive. RNU president Yvette Coffey said nurses and other healthcare professionals were already struggling to secure paid time off amid "ongoing staffing shortages, burnout, organizational restructuring, and the challenges connected to the rollout of CorCare." Coffey added: "Yes, we have heard concerns from members about this, and frankly, I understand why they are upset." She criticized the tactic as "in very poor taste" and emphasized that while cybersecurity education is important, "it needs to be done with judgment and respect. There are many ways to test phishing awareness without exploiting the very real stress, fatigue, and frustration healthcare workers are experiencing."

Cybersecurity trade-offs and the evidence on phishing drills

The episode highlights a familiar tension inside critical infrastructure organizations: cybersecurity awareness must be balanced with sensitivity to operational stress. The Register's coverage noted that some IT experts argue these kinds of tests are valuable because cyberattacks on hospitals and healthcare facilities can have severe effects, including cancelled procedures, service downtime, and in the rarest cases, death. At the same time, the report also observed that "there isn't much evidence linking fire‑drill‑style tests to improvements in organizational security," a point that complicates any simple calculus in favor of aggressive or provocative testing methods.

What this means for technologists, union representatives, and NL Health Services

  • Technologists and security teams: The immediate lesson is a procedural one. NL Health Services has signaled it will review approval and review processes—technical teams should expect new checks on test design, closer alignment with communications and HR, and perhaps oversight to ensure themes do not exploit operational pain points.
  • Union representatives and front-line staff: The RNU response shows unions will publicly push back when awareness exercises intersect with persistent workplace problems like staffing shortages and burnout. Expect demands for consultation before future exercises and for tests to avoid incentives or promises that touch on benefits and time off.
  • NL Health Services leadership and communications: Leadership has committed to investigate how the campaign was allowed and to change how future exercises are developed and communicated. That will require reconciling cybersecurity objectives with employee morale and the optics of messaging during a fraught operational period tied to CorCare's rollout.

The episode closes on a clear, institutional question: how to teach essential cyber hygiene without deepening the mistrust of staff already operating under strain. NL Health Services has apologized and pledged a review; the Registered Nurses Union has already signalled it will press for better judgment. Whether the promised investigation produces stricter internal controls, new consultation mechanisms, or a revised set of acceptable testing scenarios will determine whether this becomes an instructive correction or merely a public-relations blip.

Read the original report: https://www.theregister.com/security/2026/06/22/canadian-health-board-sorry-after-tasteless-phishing-test/5259320

HealthcareMFA Bypass Is Not Relevant HerePhishing AwarenessEmployee BurnoutBut Phishing IsSupply Chain Is NotBut Related: CorcareNewfoundland And Labrador Health ServicesNation State Is NotBut Related To Sector: Emerging Threats Is NotBut Relevant: Phishing AwarenessCorcare
Related Intelligence

Continue Reading

Dimly lit server room with outdated equipment and exposed cables.

Legacy Infrastructure Exposes AI Agents to Hijacking Risks

Legacy infrastructure can put your AI agents at risk of hijacking, as seen with CVE-2025-24813, a remote code execution flaw that lets attackers turn a routine server compromise into a full takeover. An unpatched Internet-facing Apache Tomcat server is all it takes to expose your enterprise to this threat.

Analyst 207
Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207