The protection of the confidentiality of outsourced data is an important problem. A critical aspect is the ability to efficiently access data that are stored in an encrypted format, without giving to the server managing access requests the ability to infer knowledge about the data content of the access executed by the clients. The approaches that have been proposed to solve this problem rely on a continuous rewriting and re-encryption of the accessed data, like the shuffle index that has recently been proposed. We here propose a different approach that uses three independent servers to manage the data structure. The use of three servers is motivated by the increased protection that derives from the use of independent servers compared to the use of a single server. The protection shows to increase in a significant way if a constraint is introduced that at every request an accessed node has to be moved to a different server. The use of three servers permits to keep the accessed data protected even when the servers collude. The protection is evaluated with a probabilistic model that estimates the loss of information that derives from the application of the technique.