Hillary Clinton disregarded State Department cyber-security guidelines by using a private email account and server, an internal audit found on Wednesday. Her staff twice brushed aside specific concerns that she was not following federal rules.
The inspector general's review also revealed that hacking attempts forced then-secretary of state Mrs Clinton off email at one point in 2011, though she insists the personal server she used was never breached.
Mrs Clinton and several of her senior staff declined to be interviewed for the State Department investigation.
Earlier this month, Mrs Clinton, the likely Democratic presidential nominee, stressed that she was happy to "talk to anybody, any time" about the matter and would encourage her staff to do the same.
The 78-page analysis, a copy of which was obtained by The Associated Press, said Mrs Clinton ignored clear directives. She never sought approval to conduct government business over private email, and never demonstrated the server or the BlackBerry she used while in office "met minimum information security requirements".
Twice in 2010, information management staff at the State Department raised concerns that Mrs Clinton's email practices failed to meet federal records-keeping requirements. The staff's director responded that Mrs Clinton's personal email system had been reviewed and approved by legal staff, "and that the matter was not to be discussed any further".
The audit found no evidence of a legal staff review or approval. It said any such request would have been denied by senior information officers because of security risks.
The inspector general's inquiry was prompted by revelations of Mrs Clinton's email use, a subject that has dogged her presidential campaign.
Clinton campaign spokesman Brian Fallon said in a tweet that the audit "makes clear her personal email use was not unique at State Department".
The review encompassed the email and information practices of the past five secretaries of state, finding them "slow to recognise and to manage effectively the legal requirements and cybersecurity risks associated with electronic data communications, particularly as those risks pertain to its most senior leadership".
But the failings of Mrs Clinton, who was secretary of state from 2009 to 2013, were singled out as more serious.
"By Secretary Clinton's tenure, the department's guidance was considerably more detailed and more sophisticated," the report concluded. "Secretary Clinton's cyber-security practices accordingly must be evaluated in light of these more comprehensive directives."
The State Department has released more than 52,000 pages of Mrs Clinton's work-related emails, including some that have since been classified. Clinton has withheld thousands of additional emails, saying they were personal.
Critics have questioned whether her server might have made a tempting target for hackers, especially those working with or for foreign intelligence services.
Separately from the State Department audit, the FBI has been investigating whether Mrs Clinton's use of the private email server imperiled government secrets. It has recently interviewed Mrs Clinton's top aides, including former chief of staff Cheryl Mills and deputy chief of staff Huma Abedin. Mrs Clinton is expected to be interviewed.
Mrs Clinton has acknowledged in the campaign that the homebrew email set-up in her New York home was a mistake. She said she never sent or received anything marked classified at the time, and says hackers never breached the server.
The audit said a Clinton aide had to shut down the server on January 9, 2011, because he believed "someone was trying to hack us". Later that day, he said: "We were attacked again so I shut (the server) down for a few min."
The next day, a senior official told two of Mrs Clinton's top aides not to email their boss "anything sensitive," saying she could "explain more in person".
On CBS' Face the Nation this month, Mrs Clinton said, "I've made it clear that I'm more than ready to talk to anybody, any time. And I've encouraged all of (my staff) to be very forthcoming."
The audit said three of her closest State Department aides - Ms Mills, Ms Abedin and policy chief Jake Sullivan - declined interview requests.
Hillary Clinton didn't comply with gov policies for avoiding cybersecurity risks while serving as Secretary of State https://t.co/W5fEVLP8MJ— Sky News (@SkyNews) May 25, 2016