I have no love for Healthcare.gov, but honestly just about every site is sending out notices that people may want to change passwords. Heck, Yahoo *made* me change my password.
Like everyone else they don't know if anything was taken. And frankly, Heatbleed is probably the least of the security issues Healthcare.gov has... I'd be way more worried about backbend systems, and then it doesn't matter what your password is.