San Francisco-based Dignity Health, a not-for-profit hospital company with locations in California, Nevada and Arizona, suffered three data breaches in quick succession over a six-week timespan this spring. One involved the physician rating and scheduling company Healthgrades Operating Company, Inc., and affected nearly 56,000 patients.

The second breach involved more than 6,000 records exposed in Nevada by a third-party contractor that previously had been a business associate (BA), but the BA agreement had been allowed to expire due to a clerical error, according to Dignity Health. The third breach occurred when an employee in Arizona accessed protected health information (PHI) for 229 patients without a valid reason, the company says.

In the Healthgrades breach, 55,947 patients were sent an email describing a new online appointment scheduling tool.

According to the joint statement issued by Dignity Health and Healthgrades:

On April 24th, 2018, Dignity Health, including its affiliates Dignity Health Medical Group Nevada, LLC, and Dignity Health Medical Foundation, discovered that an email list formatted by Healthgrades, one of its BAs, contained a sorting error. This error resulted in Dignity Health inadvertently sending misaddressed emails to a group of patients, informing them of a new online appointment scheduling tool. Immediately upon learning of the incident on April 25th, Dignity Health and Healthgrades launched a comprehensive investigation.

The two companies took steps to notify the affected patients and “are putting appropriate steps in place so that it will not happen again,” the statement says. “Each misdirected email was sent to only one person. The emails contained the wrong patient’s name and, in some cases, his or her physician’s name. No other information was included in the email. Importantly, there was no financial, insurance, or medical information included.”