Technical glitches and data-management challenges have dominated HIX headlines at both the state and federal level, with the latest news showing how even the most widely regarded and most vilified state-run operations now share this common thread.

The more dramatic of these two developments has actually been simmering for quite a while in Oregon, where the embattled Cover Oregon and Gov. John Kitzhaber, a Democrat who is up for re-election in November, intend to sue Oracle Corp.

The prominent technology vendor, led by the often outspoken and flamboyant billionaire Larry Ellison, was paid about $134 million to help get the website up and running. The company has countered that the lawsuit is politically motivated. Although an early adopter of the HIX concept, Oregon has infamously been unable to enroll a single resident online.

Perhaps one of the most surprising stories to emerge about public exchanges involves a recent security breach at Connecticut’s Access Health CT, which has long been lauded for its efficiency and accomplishments. The state-run HIX, whose SHOP exchange has received a key assist from bswift, immediately took steps to help nearly 400 HIX enrollees protect their personal information. Those options reportedly included credit monitoring, fraud resolution services, identity theft insurance and security freezes of credit reports.

The issue in Connecticut was one of human failure rather than an IT issue, explains Robert Booz, a health care analyst with technology consultant Gartner, who adds that the security breach was “identified relatively quickly, corrective action plans could be put in place and monitoring has been offered.”

He says it’s unusual for any exchange, let alone business, to encounter such a situation. “We don’t know how bad the problems are because there are so many manual procedures and processes that are still taking place,” according to Booz. “The exposure is higher when you have more people involved.”

The Access Health CT breach occurred when an employee for Maximus, a government contractor, left a backpack unattended outside a downtown Hartford deli. It had contained a notepad with customer information, including names, birth dates and 151 Social Security numbers, Reuters reported. It was later found by a man who then turned it over to his legislator’s office.

Meanwhile back in the Pacific Northwest, Oregon recently sought so-called civil investigative demands for information that could be used against Oracle in court. Patrick Sheehan, a former state legislator and Cover Oregon critic, has blasted state officials for devising “completely unrealistic timelines and deliverables.”

“Oregon’s situation is a classic example of an IT problem that spun out of control and is taking with it the vendor and the client,” observes Booz, who predicts a host of legal and other recriminations. “With these kinds of problems, there is always enough blame to go around.”

He describes the state’s biggest problem as lacking an effective system integrator, which proved to be beyond the reach of the organizational structure that was in place. “The IT issues are fairly clear,” Booz explains. “These things happen. Projects go off the rails. It isn’t nice and happy, but you have to recognize it, and CIOs know this. Add to that the intense politics of Obamacare, and even a minor IT glitch turns into a major policy level discussion.”

InformationWeek has noted that “Oregon stands out as the worst of the lot [of state-run public exchanges], still completely lacking a site where consumers can sign up for coverage. The state has managed to enroll over 200,000 citizens anyway, but only by processing applications on paper. The limited online service that is live today is only for insurance agents.”

Bruce Shutan is a Los Angeles freelance writer.

This story originally appeared on Health Insurance Exchange