We have received the following from WebCollect:
Just to reassure everyone, WebCollect is NOT and was NEVER vulnerable to the “heartbleed” bug in OpenSSL, because it never used the vulnerable version of OpenSSL.
Is it recommended that you or your members change your WebCollect password? Not any more than usual. If you are using the same password for WebCollect as you were for another service which was vulnerable to Heartbleed, then your password may have been compromised with that other service. In this case it would make sense to change your WebCollect password as well.
We have put an announcement on the WebCollect home page to this effect.