Stephen Arthuro Solis-Reyes from London, Ontario was accused of hacking into the Canadian Revenue Agency's website last Friday by the Royal Canadian Mounted Police (RCMP).
Police say Mr Solis-Reyes then stole 900 social insurance numbers.
The Heartbleed security scare, which also struck the UK social network Mumsnet, erupted last week.
"It is believed that [Mr] Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug," the RCMP said in a statement.
The RCMP, which has been investigating the breach for four days, charged Mr Solis-Reyes with "unauthorized use of a computer" and "mischief in relation to data".
He is expected to appear in court on 17 July 2014.
The Heartbleed bug was made public a week ago by Google and Codenomicon, a small Finnish security firm, which independently identified the problem.
The bug exploits a flaw in OpenSSL - a cryptographic software library used by services to keep data transmissions private.
Canada's tax agency was one of the first major organisations to cut services as a result the security flaw.
However, the action came too late.
"Regrettably, the CRA has been notified by the government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period" last week, the agency said on a message posted to its homepage on Monday.
Security experts warn that more attacks could be revealed soon, as firms and governments work to determine whether or not their systems are vulnerable.