Playing On Your Pain: A Phishing Expedition

On the afternoon of Tuesday, April 12, OHSU sent a fake phishing-exercise email to the OHSU community announcing a new OHSU COVID-19 support program that would provide up to $7,500 in assistance to employees experiencing financial hardship as a result of the pandemic. 

Employees who clicked on the link to register, hoping for much-needed economic relief, were met with a message letting them know there would be no assistance — the email was a test of how well employees could determine whether an email was a phishing scam. While this was certainly an effective way for OHSU to run this test, one does have to wonder if waging psychological warfare on your own employees is the best way to educate them on cybersecurity.

Right now, many of our members and others are struggling with food and housing insecurity, and many of your budgets are being stretched beyond their capacity. Historic inflation has exacerbated the hardships caused by the COVID-19 pandemic. The decision to send today’s email is a cruel reminder that, ultimately, OHSU does not truly care about its employees and their struggles, particularly their mental health; further proof of this is that the fake email was sent under the name of a Local 328 member, potentially subjecting this employee to a deluge of hurtful and angry emails. 

It’s also important to note that this thoughtless email was sent during bargaining. Generally speaking, emails about benefits or program changes are best kept factual and straightforward during negotiations. This is particularly true of an employer that has a history of spreading misinformation about what’s happening in bargaining. While our union doesn’t believe this email was sent with such an impact intended, but the fact that nobody said, “Wait, is this a good idea given what our employees have been through the past two years? Is it a good idea during bargaining?” is telling. 

Today is a bargaining day, and our union’s team was working in our afternoon caucus when the first emails from rightfully upset members started coming in. We immediately stopped our caucus and demanded a sidebar conference with OHSU. When confronted, OHSU’s team reported that they didn’t know the email was going to be sent. This is yet another example of how “We didn’t know” is a common and convenient way for OHSU to shield its leadership from responsibility for OHSU’s toxic actions and decisions over the years. Why didn’t you know?

It’s beyond tiresome to hear “We didn’t know” in the wake of multiple OHSU scandals over the past few years. At OHSU, the buck conveniently never stops with those in charge — it just drifts around until the next scandal replaces it. At some point, perhaps someone at OHSU with authority will design a system in which the left hand and the right hand actually coordinate with each other. Until that point, our members are subjected to the whims of OHSU’s worst ideas and behaviors, and this phishing email can now take its place with OHSU’s many other missteps.

The text of OHSU’s email re: this incident, sent at 7:24 p.m. tonight, can be found here.

Before commenting, please read our guidelines here.