A report from the Republican majority on the House Oversight and Government Reform Committee published Wednesday blames the leadership of the Office of Personnel Management for the 2014 and 2015 data breaches at the agency.

According to the report titled, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, OPM did not follow basic cyber security recommendations that could have mitigated or even prevented major attacks that compromised sensitive data belonging to more than 22 million people.

“In a 2014 report, GAO found that while government agencies established security requirement and planned for assessments, the agencies reviewed (including OPM) failed to consistently oversee the execution and review of these assessments.”

The breaches were exacerbated by poor security and even poorer leadership, which could have leveraged available security tools to stop or limit the intrusions, according to the report.

Representative Elijah Cummings, the top Democrat on the oversight panel, rejected the report’s findings in a memo to other Democrats. He claimed the report had factual deficiencies and did not account for mistakes made by federal contractors.

The agency’s acting director, Beth Cobert, said in a statement that OPM disagrees with much of the report, which she said “does not fully reflect where this agency stands today.” She said the hack “provided a catalyst for accelerated change within our organization,” including hiring new cybersecurity experts and strengthening its security.

The congressional report said OPM officials misled the public about the scope of the breach and also by saying the two breaches were unrelated when, instead, “they appear to be connected and possibly coordinated.”

US intelligence officials have blamed the hack on China.

“We have literally tens of millions of Americans whose data was stolen by a nefarious overseas actor, but it was entirely preventable,” said Rep. Jason Chaffetz, a Republican and committee chairman.

The House inquiry did not go into great detail about who was responsible.