Chief Information Security Officer Brings Vast Federal and Healthcare Experience to ARUP

Remember the Nigerian prince promising a hefty reward for help in transferring a large sum of money into a U.S. bank account? If only phishing emails were still so silly.

The much more sophisticated missives bombarding mailboxes nowadays are infinitely harder to detect as fraudulent. They are expertly targeted, polished, and persuasive, the product of generative artificial intelligence (AI) that knows a shocking amount about us.

They are also a primary way that healthcare companies and the protected health information (PHI) core to their operations are breached, said James Hadley, CISSP, ARUP’s chief information security officer (CISO). Phishing attacks are rampant, and the number of records exposed grows by the day: In 2024, there were 725 data breaches of more than 500 patient records in which more than 275 million total records were compromised, according to The HIPAA Journal 2024 Healthcare Data Breach Report. The publication estimated that the records of 82% of the U.S. population were exposed, stolen, or used without permission in 2024.

“Mature companies understand there’s no way to completely eliminate risk, but there are ways to reduce and manage it,” Hadley said.

He’s up to the challenge.

Hadley joined ARUP in July 2025 as the company’s first CISO, filling a role that Chief Information Officer Sarah Teofilo created in recognition of the need for ARUP to build on an information security program established decades ago when the internet first started to transform business. The growing complexity of ARUP’s information systems, the evolving cyberthreat landscape, and the importance of maintaining the trust and confidence of clients necessitated carving out the CISO role as distinct from the director of enterprise technology role, which had been responsible for information security.

Teofilo said she sought an expert with strong technical competence but also emotional intelligence and leadership skills, “someone with a track record of continuous improvement and the ability to quickly identify priorities and develop actionable plans.”

“In James, we saw a leader with advanced understanding of cybersecurity through his experience in large-scale federal and healthcare operations,” Teofilo said. “He brings best practices and insights from national-level conversations about healthcare as critical infrastructure.”

From Football to Federal Cybercrime Defense

Hadley’s experience in cybersecurity spans more than 25 years. His start in the field, however, was not what you might expect.

An Arkansas native, he earned a full scholarship to play football at the University of Arkansas, but soon found he was unhappy as a college athlete, so he left when he was 20 years old to join the Army.

Almost immediately, his military service took him overseas, first to Mannheim, Germany, and later to posts in Bahrain and Qatar. In each place, he served as a satellite communications specialist.

Hadley spent a total of 14 years abroad. After returning to the United States, he continued to work in satellite communications for the U.S. Department of Defense (DOD) but said he found himself feeling restless for a new challenge and intrigued by reports about data hacks affecting large retailers and other companies. He met with a career counselor and decided to pursue a bachelor’s degree and later a master’s degree in cybersecurity through Bellevue University in Nebraska. Hadley also earned Certified Information Systems Security Professional (CISSP) certification from the International Information Security Certification Consortium (ISC2), a distinction that validated his expertise in the design, implementation, and management of digital security programs.

His military experience coupled with his cybersecurity credentials earned him a position with the Marine Forces Cyber Command, a component of the U.S. Cyber Command, which oversees planning and operations to defend and advance U.S. national interests in cyberspace.

He thrived in the position, becoming known as “the guy wearing suspenders who always speaks up in meetings,” but with time, Hadley said he again craved a challenge. He wanted to be less of a project manager and more hands-on in applying his technical skills, so he became a contractor working in the Army’s security operations center. “I took off my suspenders and my suit, and I put on jeans and a Thundercats t-shirt,” he said. “For the next two years, I sat at a desk with four monitors and worked as a security operations center (SOC) engineer.”

It wasn’t long before authorities decided to merge the Army operation with the Marine Forces Cyber Command, and “the guy with the suspenders” was offered the opportunity to run the military’s entire cybersecurity operations. Hadley was given the authority and the budget to hire up to 60 employees.

He and his team played a critical role in the nation’s defense, on occasion conducting offensive cyberoperations against nation-state actors. Hadley’s responsibility was to ensure that those enemies didn’t figure out who was attacking them and strike back. “I’m on the keyboard. I’m looking at logs, making sure our assets aren’t compromised,” he said. “Stress for someone else is adrenaline for me. It’s all about the challenge.”

That enduring quest to challenge himself propelled Hadley to his next role as a director at the DOD Cyber Crime Center, which serves as the operational focal point for the defense industrial base (DIB) cybersecurity program, providing services such as digital forensic examinations and technical solutions development to defense contractors. He said he made the move because he felt a need to hone his management skills and grow as a leader.

While there, Hadley said he saw clearly the value a leader can bring to an organization by nurturing those reporting to him—supporting them and assuring them that whatever the problem, “they’ll figure it out.”

“It may seem overly simplistic, but really, all you have to do is share a vision and let members of your team take ownership, and good things happen,” he said.

His success in the position earned him the CISO role at the U.S. Department of Health and Human Services (HHS) Administration for Strategic Preparedness and Response (ASPR), signaling that he had reached a pinnacle in his federal career.

At HHS, he gained an understanding and an appreciation for security challenges facing healthcare. Plus, “I had started seeing things more from a program perspective, not just, ‘How do we solve a small problem?’ but, ‘How do all of the pieces of the puzzle connect?’” Hadley said. “I fell in love with the CISO role and the challenge of putting a program and a team together and watching them grow.”

Federal CISO Skills Applied in Private Industry

It is from the HHS position that he became ARUP’s CISO after cuts by the Department of Government Efficiency in the early months of the current Trump Administration unraveled his HHS department.

The opportunity to apply both technical expertise and leadership skills to continue to make a difference in healthcare intrigued Hadley as he set about understanding not just ARUP’s technical landscape, but also its core business functions and culture.

Hadley aims to reduce and manage risk using what he calls a “defense-in-depth approach” that pursues security measures that are layered and comprehensive. The strategy involves a combination of technical controls, administrative policies, and—most importantly—people, he said. “In order to manage risk, the concept of security must be relatable and urgent for all employees.”

He believes in telling compelling stories about real-world breaches to illustrate the potential impact on ARUP. Rather than relying on technical jargon, he communicates risk in terms of business continuity and reputation, knowing that his fellow employees care deeply about protecting ARUP’s operations and its clients’ information.

In addition to a focus on the importance of shared ownership of risk management, Hadley also stresses the importance of collaboration. He seeks input from teams across ARUP, encouraging them to help solve security challenges. Teofilo said he is proactive about securing resources and support from leadership, and he values transparency and trust in building a resilient security culture.

As CIO, she knows how critical it is to protect patient data and ARUP’s operations, and it’s her job to think about and prepare for worst-case scenarios.

“In hiring James, with everything he represented, what it came down to is, ‘Who would I want by my side to continue building a strong program and to tackle complex challenges?’ And that person is James,” Teofilo said.

Her hope is that ARUP, under Hadley’s leadership, can also be a resource to clients and the clinical laboratory industry. “Sharing best practices and resources helps strengthen the industry’s overall cybersecurity posture, which is vital given the critical nature of healthcare operations,” she said.

A Life Outside the Office

Joining ARUP meant leaving Maryland for Utah, where ARUP is based. Hadley said the move was perhaps harder on his wife, a neonatal intensive care unit nurse who had never spent much time in the West, than it was for him as an avowed outdoorsman ready to explore all that Utah has to offer.

From the days of his youth in Arkansas, Hadley said he has found fulfillment in spending time outside. He loves fishing and hunting, whether it be rifle or bow hunting. He said he pursues a variety of game, which he hunts only for consumption.

“The greatest reward comes not from the act of hunting itself, but from being immersed in nature and staying active outdoors,” he said. “It is a perfect balance to my professional life.”

Hadley acknowledges that he took something of “a leap of faith” in moving to Utah to become ARUP’s CISO, but he welcomes the newest challenge that he’s carved out for himself. “I’m honored and humbled to be here,” he said. “I feel blessed by the opportunity to share my vision and to learn all I can learn.”

Lisa Carricaburu, lisa.carricaburu@aruplab.com