As per suggestion from Heroku tech support, the easiest way to do this is by putting the username and password into the URL, as in Basic HTTP Auth, e.g.

gem 'my_gem', :git => 'https://my_username:my_password@github.com/my_github_account/my_repo.git', :ref => 'revision_no'

This worked for us. This is still somewhat dissatisfying as we had to put a password into the Gemfile. We dealt with this by adding a new github user account and adding that account as collaborator on the gem project. Still not foolproof security, but the impact is more narrow.

Other options I read about are to set up your own gem server or to vendor the gem.

Update 5/16/2012:
Another way to get around putting the password into the Gemfile is to put the password into an environment variable; on Heroku you do this with heroku config:add VAR=value, and then in the Gemfile you’d use this variable, e.g.:

gem 'my_gem',
  :git => "https://#{ENV['var_private_gem_username']}:#{ENV['var_private_gem_password']}@github.com/my_github_account.git",
  :ref => 'rev'

This is the standard on Heroku to avoid putting passwords, API keys and any credentials into the code. For local development/test, you can set these environment variables. Or, assuming your development machine is set up for SSH access to github, you won’t need the credentials for local development (the SSH credentials will be in effect already). So you could set up some conditional logic:

private_repo_credentials = %w(var_private_gem_username var_private_gem_password).
  map { |var| ENV[var] }.compact.join(':')
private_repo_credentials << '@' unless private_repo_credentials.empty?
# private_repo_credentials will be "" if neither var is set
# private_repo_credentials will be "username:password@" if they are set
gem 'my_gem',
  :git => "https://#{private_repo_credentials}github.com/my_github_account.git",
  :ref => 'rev'

I’ve not tested this last part. Please provide feedback.