Information Systems (IS) research on health IS use has suffered from a positivity bias – largely focusing on upside gains rather than the potential dark side of usage practices. Exploring the dark side and failures in health IS use, such as shortcomings in data privacy and cybersecurity, can provide useful insights for research, practice, and policy. Through qualitative analyses of three datasets collected between 2015 and 2021, we theorize challenges to the effective use of IS and data protection in Australian health services. We propose a contextualized theory of ‘health records misuse’ with two overarching dimensions: data misfit and improper data processing. We explain sub-categories of data misfit: availability misfit, meaning misfit, and place misfit, as well as sub-categories of improper data processing: improper interaction and improper data recording and use. Our findings demonstrate how health records misuse arises from socio-technical systems, and impacts health service delivery and patient safety.