Law firms investigate Choice Hotels after possible guest data breach

Several national plaintiff law firms announced investigations Feb. 20–21 into a data-security incident at Choice Hotels International after the franchisor detected suspicious network activity on or about Jan. 14, 2026 and later determined personal information had been accessed, according to firm filings and state notices.

Choice began mailing notification letters to affected individuals on Feb. 19, 2026, legal notices show. The materials circulated by counsel and consumer sites list exposed items including names, Social Security numbers, dates of birth and contact information. State filings cited by one law firm show at least 66 people in Maine and 67 people in New Hampshire were notified; the companies soliciting plaintiffs have described broader potential reach without publishing an overall total.

Cole & Van Note, which summarized state notices, reported that the intruder used social engineering to gain access to an internal application even though that system required multi-factor authentication. That reporting says Choice detected the activity and shut it down within an hour, and a subsequent forensic investigation confirmed on Jan. 26 that personal information had been accessed. Murphy Law Firm described the same forensic finding and characterized the incident as cybercriminals infiltrating what the firm called an "inadequately secured network" and potentially accessing files "containing the sensitive personal information of thousands of individuals."

In the two days after Choice’s notices went out, a roster of plaintiff firms including Edelson Lechtzin LLP, Murphy Law Firm, Srourian Law Firm, Shamis & Gentile P.A., Wolf Haldenstein Adler Freeman & Herz LLP and others posted alerts inviting recipients of Choice breach letters to contact them about possible class actions. Edelson’s Feb. 20 press release reiterated that "Choice Hotels learned of a data breach on or about January 14, 2026" and provided a contact for potential clients.

The mix of small state counts and broad law-firm characterizations underscores a persistent reporting gap: public materials assembled by plaintiffs’ lawyers and consumer sites show fragments of regulator notices and firm marketing language, but the supplied notices do not include a single, company-published tally of how many people or records were affected. The excerpts reviewed for this article also do not contain a direct public statement from Choice Hotels itself explaining the scope of the incident, remediation steps or any offers of credit monitoring.

Beyond legal exposure, public health and social equity concerns follow when identifiers such as Social Security numbers and dates of birth are leaked. Identity theft and medical identity fraud can disrupt insurance billing, delay access to care and place outsized burdens on people with limited financial resources to resolve disputes. Advocates say the downstream harm often concentrates on older adults, people of color and low-income households that have fewer buffers to absorb financial and administrative shocks.

Consumer-facing notices and law-firm pages urge affected people to review any mailed notice from Choice and consider enrolling in identity-protection services if offered. Plaintiffs’ releases direct readers to firm contact forms and in some cases to named attorneys; Edelson Lechtzin listed Marc Edelson and a Newtown, Pennsylvania office in its release.

Journalists and regulators will likely press Choice Hotels and the state attorneys general cited for fuller disclosure: the total number of records, which systems and franchise operations were affected, whether a named forensic firm was retained, and what remediation the company will provide. For now the incident highlights how breaches at large franchisors can ripple across customers, franchise employees and communities already vulnerable to economic and health-care disruption.