NL Health Services' phishing test shows why cybersecurity training needs trust, not traps

After NL Health Services apologized for a phishing simulation that promised health-care workers an extra paid day off, security teams should ask how to make awareness training effective without making employees feel punished.

NL Health Services is facing criticism after a cybersecurity awareness exercise used a fake promise of an additional paid day off to test whether employees would click a link. The organization apologized for the exercise, acknowledging concerns about the fictitious “additional paid day off” scenario and saying the approach was not appropriate. Interim CEO Ron Johnson said NL Health Services is reviewing how future awareness exercises are developed and communicated so they reflect employee and physician perspectives and support a respectful workplace culture.

According to CBC reporting and union statements, the simulated phishing email appeared to recognize staff for their work during ongoing system pressures and invited employees to submit a request for a “June Holiday.” The backlash was swift. Unions representing health-care workers said the exercise was insensitive because many employees have been dealing with staffing shortages, burnout, denied leave, overtime, and disruption tied to the CorCare rollout.

The controversy is a reminder that phishing simulations are not just technical exercises. They are trust exercises.

Health care remains a high-value target for phishing attacks. Phishing can threaten protected health information, disrupt critical systems, and create downstream risks for patient care. That means awareness training matters. But the lesson from the NL Health Services controversy is not that organizations should stop training employees. It is that cybersecurity awareness has to be designed with empathy, transparency, and clear educational value.

A phishing simulation that feels like a “gotcha” can undermine the very behavior it is supposed to build. Employees who feel tricked, embarrassed, or punished may become less likely to report suspicious messages, less willing to engage with future training, and less trusting of internal communications. In a high-stress environment like health care, where employees are already navigating workload pressure and operational change, the emotional context of a lure matters.

How to make phishing simulations effective without feeling punitive

The best phishing simulations prepare people for real attacks while reinforcing that employees are part of the defense, not the problem. A few practical principles can help.

Start with the “why”

Explain that the goal is to protect patients, colleagues, systems, and sensitive data. Training should connect phishing awareness to real-world consequences, not just click rates.

Avoid exploiting employee pain points

Real attackers may use sensitive themes, but internal simulations should be careful with topics tied to layoffs, pay, bonuses, benefits, medical issues, emergencies, grief, immigration status, disciplinary action, or time off, especially when those topics are already sources of workplace stress.

Use realistic but respectful scenarios

A good simulation can still be challenging without targeting morale. Common workplace lures such as document shares, password resets, vendor invoices, package notices, HR policy updates, or meeting invitations can test recognition skills without feeling cruel.

Review campaigns through multiple lenses

Before launch, security teams should involve HR, communications, legal, privacy, managers, and, where appropriate, employee or union representatives. The question should not only be “Would an attacker send this?” but also “How will our employees experience this?”

Measure learning, not shame

Metrics should be used to improve the program, not to embarrass individuals. Report results in aggregate, protect employee privacy, and avoid public callouts. The focus should be on trends: reporting rates, repeat exposure, risky workflows, and areas where clearer guidance is needed.

Reward reporting

A strong security culture celebrates employees who report suspicious messages, even if the message turns out to be legitimate. Reporting is often the behavior organizations most need in a real incident.

Pair simulations with timely education

Simulations should not stand alone. They should be part of a continuous learning program that explains what to look for, why a lure can work, and what to do next time.

The bigger takeaway

Cybersecurity teams have a difficult job. They need to prepare employees for attackers who are manipulative, opportunistic, and increasingly convincing. But internal training should not leave employees feeling manipulated by their own organization.

The NL Health Services apology shows that even well-intentioned cybersecurity programs can miss the mark when they overlook workplace context. Phishing simulations work best when they build confidence, not resentment; when they create teachable moments, not embarrassment; and when they make employees more likely to raise their hand the next time something looks suspicious.

The goal is not to prove that people can be fooled. The goal is to help them spot danger sooner, report it faster, and feel supported when they do.