Photo by @MargJohnsonVA via Twenty20
Receiving Someone Else's Test Results
After being tested, I received account access, results, and personal information for someone else COVID testing. I do not want to discourage anyone from getting tested. It is a valuable service. I hope what I provide below will help individuals navigate the testing process and protect their personal information. Furthermore, I hope Covid Check Colorado and Primary Bio (whom I've been unable to reach) use this information to improve ASAP.
Colorado Testing Services
Covid Check Colorado and Primary Bio are leading the testing efforts in Colorado. The testing locations seem to be running smoothly. However, the technology supporting these systems seems to put speed above privacy concerns. It is evident the race amongst tech companies to profit from testing by securing state contracts puts patient security at risk.
I've made attempts to reach Covid Check Colorado and Primary Bio in the past ten days. Multiple emails and phone calls have gone unanswered by both agencies. In most cases, the calls go directly to voicemail even before the first ring. I have not received confirmation of the email were received. Nor have I received any response.
The experiences described below are what happened to me personally. Others may have different experiences. By sharing what happened, I hope to help others—especially those not technically savvy and able to navigate their way safely through the existing systems.
This report began when my wife could not access the COVID account she established for our daughter. Multiple attempts to retrieve login information failed. A reset link never arrived.
The one time we did reach support, they were able to send her a link. However, each time she attempted the reset, it failed with an invalid email message. An invalid email error is odd since it is the email support used to send her a reset link.
Attempts to re-register (using her email address) reported that the email was already in use — The same email that was invalid? She was caught in an endless loop, with no support. That forced her to create a second account.
The Testing Experience
Courtesty of Envato Elements. Used by Permission
Our daughter's school recently informed of potential exposure to someone who tested positive for COVID. She would need to be tested and receive a negative result before she could return to school. She was nervous but bravely went. She was the first person in our family to get tested. She did great, and the onsite crew at Cherry Creek High School was top notch! Everyone there helped to ease her concerns.
My wife and I wanted to show her our support, so we decided to sign up and get tested as well. We took advantage of the drive-up service — not even having to get out of our car. When we arrived, my wife leaned out one window, and I the other. We challenged each other not to sneeze as the cotton swab sticks swirled around inside our nostrils. We felt like a Dairy Queen Blizzard. Our eyes watered, but the process was painless and straightforward.
COVID Testing is Important, But Speed Should Not Negate Privacy
After completing my test, I received a text later that evening. What I thought was a follow-up turned out to be an appointment for the following day. I clicked on the link and was surprised to see the personal information belong to a woman in a neighboring town. Her name, QR code, and COVID Testing ID all appeared. Nearly everything I needed to access her account.
When you register for testing, you create an account with a user name and password. However, you only need the COVID Account Code, Last name, and Date of birth to see any person's test results. Login is not required. Additionally, the code arrives in a non-encrypted URL. Something even low-level hackers could easily acquire.
This breach in security piqued my curiosity. In less than 10 seconds, the information sent to me from Primary Bio told me everything. I knew where this woman lived, her phone number, email addresses, place of employment. Additionally, I saw the all-important birthday, giving me full access to her test results.
How Did This Happen?
From my Google search, I determined that our phone numbers are identical except for one digit. The two numbers are next to each other on a keypad. It appeared to be an easy mistake. Regardless, the verification system failed to account for it.
There is no delay between forwarding this personal information and the system waiting to verify a phone number. The system should wait for verification before sending any personal information. That is an expectation that any user would assume is in place.
Protecting Yourself: Navigating the Systems Step by Step
As of 2/4/2021, this information is accurate. I have walked several people through this process. I provide these findings to help others—especially those who may give up out of frustration.
REGISTERING or LOGGING IN
- Log in to Covid Check Colorado
- Select GET MY TEST to Continue. You must do this, even if you previously registered. There is no login option on this page.
- On the next page, select Register Myself. Again, even if you have previously registered.
- On the third page, a login option is finally presented.
Bookmark the last page for easier access later. Once you logout, there is no login option on Primary Bio's page. Primary Bio's page only has an ADMIN Login. There are no registration or login options for individuals.
Portal access continues to fail. I've tested using Safari, Chrome, and Firefox from multiple computers. Invalid email or password errors continuously occur. If reset is successful, it rarely lasts longer than a single login attempt.
Unexplainably, not login out seems to retain credentials. I cannot say for sure if logging out is adding to the problem. But there does seem to be some connection. Logging in from text links most often works on mobile devices.
Confirming Your Registration Before Testing is Vital
The system has a verification process for your email and phone number. Be sure you enter this information accurately and verify both before continuing. If you do not receive both confirmations, double-check your phone and email.
No matter how many times my wife requested the email confirmation, it never came through. Her work address was successful, but her YAHOO account was not. Unfortunately, my wife's first account remains inaccessible.
Password login is not required to view results — more on that in a moment. However, without access, we cannot view our daughter's account or schedule follow-ups.
Viewing Your Results
Photo Courtesty of Envato Elements. Used by Permission.
After testing you should receive a text and email with a link to your results. I provided and verified my email but never received emailed results, only a link through text. If you cannot print from your phone, you can email yourself a screenshot of the results. Also, if you can access the portal, you can see the results there.
After viewing your results on a webpage, there is no logout option. Only an option to schedule a follow-up. When selecting this option, it often fails with a confusing error: "Member already has been claimed."
If you receive this error, scroll down to find the login option. Each time I attempted to access the portal, I had to reset my password. I could use the previous password, but I've had to go through the reset process every time.
A Please to Service Providers and State Agencies
COVID has created a profitable market. That is expected, but people are not widgets. A simple, functioning and secure system is a right that everyone impacted by this pandemic deserves. Tech companies have a responsibility to fulfill this obligation.