Canadian health board apologises after phishing test offers fake vacation days

Microsoft has apologised after a Canadian health board’s IT department sent a phishing test that dangled the prospect of extra vacation days in front of overworked medical staff, a move the board now admits was “tasteless and inappropriate.”

On Monday, 22 June 2026, the health board issued a public statement acknowledging the misjudged exercise, which was intended as a routine security drill but instead sparked outrage among frontline workers already stretched thin by staffing shortages and pandemic-era pressures. The simulated phishing email, sent on 20 June 2026, offered employees additional paid leave as a reward for completing a “mandatory wellness survey,” according to internal screenshots reviewed by *The Register* . Staff who clicked the link were redirected to a page that revealed the exercise, but not before triggering alarm among recipients who feared their personal data had been compromised.

“This was not a genuine offer, and we deeply regret the distress it caused,” the board said in a statement, emphasising that no actual leave was on offer and no data was at risk. The apology follows swift backlash on social media, where healthcare workers criticised the board for exploiting a well-documented mental health crisis in the sector. One nurse, who asked not to be named, told *The Register*: “After years of burnout, the last thing we need is a fake incentive dangled like a carrot by the same people who refuse to hire more staff” .

The incident underscores broader concerns about cybersecurity training in high-pressure environments, where poorly designed drills can erode trust rather than bolster defences. Meanwhile, Microsoft has compounded user frustration by breaking a core function in Outlook for macOS, rendering entire email threads unreplyable in a separate incident reported on the same day . The software giant confirmed that a recent update had disabled the ability to respond to messages, forcing users to resort to webmail or third-party clients as a workaround.

Elsewhere, Canadian utility London Hydro disclosed a data breach on 22 June 2026, admitting that names, addresses, and account details may have been exposed, though the scope and origin of the intrusion remain unclear . The company has not disclosed whether the breach was the result of a phishing attack, ransomware, or another vector, and has not responded to requests for clarification. The episode adds to a growing list of cybersecurity lapses in critical infrastructure, raising questions about oversight and preparedness in sectors increasingly targeted by digital threats.