Random Bluetooth identifiers rotate every 10-20 minutes, to help prevent tracking [1]. (Of course it's always possible to track phones with their radios on for some time and distance.)
That's irrelevant because once you're infected, you give up your daily keys[1], which allow your random ids to be correlated together.
[1] technically this is optional, but not doing so also means you're not reporting your infected status to others, which kills the point of contact tracing.
The medical facility that diagnoses you does not get your keys, if I'm understanding the system correctly. They give you a key that you give to your phone, and your phone then uploads the daily keys. Unless your phone includes identifying information with that upload, the daily keys are still anonymous at that point.
The hypothetical malicious actor would need to have (1) listened at some location where you were and captured the key you were broadcasting at the time, (2) identified you by some other means, such as face recognition, while you were at that location, and (3) infiltrated the server where your phone uploaded its daily keys so they could find out what other keys came from the same device as the one they captured and correlated with you already.
If they do all that then they could tell which other locations they were capturing key broadcasts at that you visited.
If they have not gained access to the data at the upload server, then all they get from matching your key to your real identity at one location is what other key listening location you visited before the key rotated.
They could put the face recognition systems (or whatever they are using) at their other key listening stations...but then they don't need the keys.
This seems like a lot of effort for little gain on the part of the malicious actor.
[1] technically this is optional, but not doing so also means you're not reporting your infected status to others, which kills the point of contact tracing.