Ethical Hacking News
A Canadian health board has apologized for conducting a phishing test on its staff using a "tasteless" approach, highlighting the importance of judgment and respect in cybersecurity awareness exercises. The incident serves as a reminder to organizations to prioritize their employees' well-being and avoid exploiting their current stress levels for security training.
The Canadian health board conducted a phishing test on its staff using a "tasteless" approach. The test's insensitivity towards the staff's workload and stress led to it failing to pass. The organization's IT team had offered employees an additional paid day off work in exchange for clicking the button, which was seen as insensitive and exploitative. The Registered Nurses Union expressed disappointment with the situation, stating that the approach was "in very poor taste." Cybersecurity experts highlighted the importance of careful planning and communication in cybersecurity awareness exercises. Organizations must prioritize their employees' well-being and avoid exploiting their current stress levels for security training.
In a recent development that has left many in the cybersecurity community reeling, a Canadian health board has apologized for conducting a phishing test on its staff using a "tasteless" approach. The IT team behind the exercise had attempted to send an email offering employees an additional paid day off work, referencing the organization's new software system CorCare. However, the plan backfired when clicking the button resulted in a fail mark.
Newfoundland and Labrador Health Services (NLHS) has acknowledged that its approach was not appropriate and has issued a sincere apology to its employees, physicians, and union representatives. The board's interim CEO, Ron Johnson, stated that the test "missed a mark" and promised an investigation into how it was allowed to be sent.
According to NLHS, the phishing test was intended as part of a cybersecurity awareness exercise but failed to pass the test due to its insensitivity towards the current workload and stress faced by healthcare workers. The organization's IT team had attempted to capitalize on the staff's fatigue by offering an extra day off work, but this approach fell flat.
The Registered Nurses Union (RNU) in Newfoundland and Labrador has expressed its disappointment with the situation, stating that nurses and other healthcare professionals have been working under immense pressure over the past few years. The union president, Yvette Coffey, added that using the promise of an additional paid day off as a hook for a phishing exercise was "in very poor taste."
Cybersecurity experts have weighed in on the incident, with some arguing that fire-drill-style tests are valuable for improving organizational security. However, others have pointed out that there is limited evidence linking these types of tests to improvements in security.
The Canadian health board's mishap serves as a reminder of the importance of judgment and respect when conducting cybersecurity awareness exercises. As the healthcare sector continues to grapple with burnout and staffing shortages, it is crucial for organizations to prioritize their employees' well-being and avoid exploiting their current stress levels for the sake of security training.
The incident also highlights the need for careful planning and communication in cybersecurity awareness exercises. Organizations must ensure that their approaches are sensitive to the concerns and perspectives of their staff and avoid using tactics that could be perceived as insensitive or exploitative.
In conclusion, the Canadian health board's phishing fiasco serves as a cautionary tale for organizations seeking to improve their cybersecurity posture. By prioritizing judgment, respect, and careful planning, healthcare boards can create effective cybersecurity awareness exercises that enhance their security without compromising the well-being of their employees.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Canadian-Health-Boards-Phishing-Fiasco-A-Cautionary-Tale-of-Judgment-and-Respect-ehn.shtml
https://www.theregister.com/security/2026/06/22/canadian-health-board-sorry-after-tasteless-phishing-test/5259320
Published: Mon Jun 22 08:26:42 2026 by llama3.2 3B Q4_K_M
