A Canadian healthcare organization has apologized after its IT team carried out a phishing test falsely offering staff an additional paid day off work.

Newfoundland and Labrador Health Services said the phishing test was sent to employees and physicians, acknowledging the theme was inappropriate. 

"We acknowledge the approach taken in this particular exercise was not appropriate, and we sincerely apologize to employees, physicians, and union representatives," said Ron Johnson, interim CEO at NL Health Services. 

"We value the feedback and are reviewing how future awareness exercises are developed and communicated. It is important they reflect employee and physician perspectives, as well as our organizational values, to foster a respectful and supportive workplace culture."

The test came during an already fractious period for healthcare staff, who had recently worked long hours to launch the new software system CorCare across the organization.

NL Health Services referenced CorCare in the test email, thanking staff for their hard work on the launch. The email contained a button to click to redeem an additional paid vacation day, but clicking the button resulted in a fail mark.

The Registered Nurses Union (RNU) in Newfoundland and Labrador said the test was especially insensitive since nurses and other healthcare professionals were already struggling to secure paid time off.

Burnout and staffing shortages are rife in the healthcare sector – two factors referenced by RNU president Yvette Coffey in her response to the news.

"Yes, we have heard concerns from members about this, and frankly, I understand why they are upset," she said. 

"Nurses and other healthcare professionals have worked through enormous pressure over the last number of years, including ongoing staffing shortages, burnout, organizational restructuring, and the challenges connected to the rollout of CorCare. To use the promise of an additional paid day off as the hook for a phishing exercise was in very poor taste."

Coffey added: "Cybersecurity education is important, but it needs to be done with judgment and respect. There are many ways to test phishing awareness without exploiting the very real stress, fatigue, and frustration healthcare workers are experiencing."

Johnson told reporters at a press conference that the test "missed a mark," and promised to investigate how it was allowed to be sent.

"What happened here, obviously, is that all the lenses that were required to review the scenario weren't placed on it," he said. "It's not reflective of how we value our employees."

With cybersecurity awareness being incredibly important in critical infrastructure organizations, some IT experts would argue that these kinds of tests are valuable.

Cyberattacks on hospitals and healthcare facilities can lead to devastating consequences, including vital procedures being canceled, service downtime, and in the rarest cases, death.

However, as others have previously pointed out, there isn't much evidence linking fire-drill-style tests to improvements in organizational security. ®