Former Secretary of State Hillary Clinton did break her department's rules by setting up her own secret email server, the inspector general concluded in a report sent to Congress on Wednesday that says she failed to report hacking attempts and waved off warnings that she should switch to a more official email account.
Inspector General Steve Linick, appointed by President Obama, said he couldn't find any evidence that Mrs. Clinton received approval for her odd email arrangement, and when lower-level staffers pressed the issue, saying she was skirting open-records laws, they were ordered "never to speak of the secretary's personal email system again."
In one instance in 2011, Mrs. Clinton's tech guru thought the server was being hacked and shut it down for a few minutes. Months later, Mrs. Clinton feared yet another hack attack was underway - yet never reported the incident to the department, in another breach of department rules.
"Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information," the investigators wrote. "However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department."
The report was transmitted to some members of Congress but has not been officially released. The Washington Times and other press outlets obtained a copy Wednesday.
Mrs. Clinton refused to cooperate with the probe, as did a number of her top aides from her time at the department, leaving investigators with a number of questions they weren't able to nail down.
Her predecessors as secretary of state - Madeleine K. Albright, Colin L. Powell and Condoleezza Rice - did speak with investigators.
Mr. Powell, in particular, did use personal email for government business, and his records were not properly stored by the State Department, the investigation found. Democrats seized on that information to say it proved Mrs. Clinton was not blazing a trail of illegal behavior, but rather following the lead of her predecessors.
The inspector general, however, rejected that explanation, noting that at the time email was new, policies were "very fluid" and the department wasn't aware of cybersecurity risks in the early part of the Bush administration. By the time Mrs. Clinton took office in 2009, those policies had been firmed up - and they preached exactly against Mrs. Clinton's practice.
"Beginning in late 2005 and continuing through 2011, the Department revised the [manual] and issued various memoranda specifically discussing the obligation to use Department systems in most circumstances and identifying the risks of not doing so. Secretary Clinton's cybersecurity practices accordingly must be evaluated in light of these more comprehensive directives," the inspector general wrote.
Mrs. Clinton's odd email arrangement was first exposed under prodding by the congressional investigation into the 2012 Benghazi terrorist attack, which happened on Mrs. Clinton's watch and cost the lives of four Americans.
In the two years since the breach, Mrs. Clinton has turned over some 30,000 messages from her server that she said constituted government business. She withheld another 30,000 that she said were purely personal.
The inspector general said returning some of the messages in December 2014 - nearly two years after she left office - "mitigated" her behavior. But investigators said there are still troubling gaps in what she produced.
One email exchange mentioned in the report, which Mrs. Clinton did not turn over in her 30,000 messages, seemed to indicate that she intended for her system to hide communications from the public.
In the 2010 exchange, top personal aide Huma Abedin suggested that it was time to look into getting an official state.gov email address because Mrs. Clinton's messages from her clintonemail.com account were landing in staffers' spam folders.
Alternatively, Ms. Abedin said, Mrs. Clinton could release her secret address to the department so she could be designated as a verified account, keeping her messages out of spam folders.
Mrs. Clinton refused, saying she didn't "want any risk of the personal being accessible." The inspector general at that point in the report notes that Mrs. Clinton refused to cooperate, and Ms. Abedin did not respond to a request to be interviewed.
Clinton campaign spokesman Brian Fallon said the report offers little new and instead confirms Mrs. Clinton's belated efforts to fulfill her duties under open-records laws.
"We think there's a lot in this report that corroborates what we've been saying all along," he told MSNBC.
He said Mrs. Clinton and her aides refused to cooperate because they were instead focusing on defending themselves in other probes - particularly the FBI's investigation into whether Mrs. Clinton compromised secret information.
Mr. Fallon also denied that Mrs. Clinton or her top aides were involved in the decision to silence staffers who questioned her email arrangement.
"We're not familiar with that. There were certainly no instructions given that this should be kept secret," he said.
Mr. Fallon said that despite hacking attempts, there was no evidence her server was compromised.
The report lays out many of the details of Mrs. Clinton's server. The domain name clintonemail.com was registered on Jan. 13, while she was still serving in the Senate and before she was confirmed to be secretary on Jan. 21.
State Department staffers were repeatedly asked to help solve problems with Mrs. Clinton's server and her devices, such as her BlackBerry - particularly while trying to communicate between her secret address and the state.gov accounts used by most of her subordinates.
But the inspector general was unable to find anyone who gave the final approval for Mrs. Clinton to use the odd arrangement. The department's legal office said it was not asked to review or approve the setup and was unaware of anyone else approving it - though some of them did email Mrs. Clinton on her secret account.
None of the messages Mrs. Clinton returned to the department was marked classified at the time, though some 2,000 messages have since been redacted in whole or in part because of information now deemed too secret to be seen publicly.
Mrs. Clinton did, however, send emails with "sensitive but unclassified" over her secret server, again breaching department rules put into place in 2008 - the year before she took office - that said such an arrangement required prior approval from the Office of Information Resources Management.
"OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU," the investigators said.